[Cialug] Routing between subnets with iptables

Zachary Kotlarek zach at kotlarek.com
Wed Jan 16 21:31:20 CST 2013 

On Jan 16, 2013, at 6:29 PM, Don Ellis <don.ellis at gmail.com> wrote:

> We have a network set up with two subnets behind a NAT. We are able to
> get out of the network from either subnet.
> 
> What we want to do is be able to connect between a system on one
> subnet and a system on the other subnet.
> 
> Does anyone have examples of doing this using iptables?
> 
> systemA in subnet0: 10.0.1.200
> systemB in subnet1: 10.0.3.200


>> Is the NAT device also the routing device?  Would a static route work?
>> -barry
> 
> No, .. the IPTables box is a 'proxy server' between the two networks.


I'm not sure what problem you're trying to solve. Are you just trying to adjust some existing firewall, where routing already exists -- i.e. if you disabled the firewall connections would work -- or do you also need to make changes to routing/NAT/etc. to actually get connections setup, regardless of firewall rules?

I'm also a little fuzzy on your network topology, with respect to which boxes will mangle/route traffic between systemA and systemB. A topology text-igram might help.

10.0.1.200 -> something? nothing? -> iptables -> something? nothing? -> 10.0.3.200


> I have tried making changes in the iptables configuration, but I don't
> have enough experience in iptables to know where to use -i, -o, -d,
> and -s (I think those are the values to be adjusted here). Also, I'm
> making assumptions about what table and chain the rules need to be
> added to, and when to append (-A) and when to insert (-I).

This is a decent overview of iptables:
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

The man page is also fairly detailed in terms of actual usage and defining all the feature, though it does assume you know what you want to do and what terminology iptables uses for that feature. So if your'e starting from scratch go with the guide, but if you just want some info on the flags and options try the man page.

To specifically answer your questions about the flags:

--in and --out filter by the logical interface through which the traffic is passing. They're useful for ensuring that you only get internal IPs on the internal network, for example. You can use both --in and --out in the FORWARD chain, but in INPUT/OUTPUT/PREROUTING/POSTROUTING you can only use the side of the connection that's relevant to that chain.

--destination and --source filters by IP address and can include a CIDR mask

in, out, destination, source, protocol and most other filters can be inverted with !, so you can match all non-tcp traffic or all non-eth0 traffic.

--insert takes a numeric argument that's the index where the rule will be added; existing rules at that index and higher will be shifted down. --append is equivalent to calling insert with an index 1 higher than the length of the current chain; it always adds the new rule at the end. So you can use either or both to achieve the desired result.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
URL: <http://cialug.org/pipermail/cialug/attachments/20130116/957e01eb/attachment.bin>

More information about the Cialug mailing list