[Cialug] Routing between subnets with iptables

Don Ellis don.ellis at gmail.com
Wed Jan 16 22:44:53 CST 2013


Some of these questions didn't get responded to (I've posted this to
four lists and Lee doesn't subscribe to one of them so I have to route
email traffic for him) - I've put an answer to the key question from
Zach & Andrew (more detailed architecture diagram) at the bottom...

On Wed, Jan 16, 2013 at 9:31 PM, Zachary Kotlarek <...> wrote:
>
> On Jan 16, 2013, at 6:29 PM, Don Ellis <don.ellis at gmail.com> wrote:
>
>> We have a network set up with two subnets behind a NAT. We are able to
>> get out of the network from either subnet.
>>
>> What we want to do is be able to connect between a system on one
>> subnet and a system on the other subnet.
>>
>> Does anyone have examples of doing this using iptables?
>>
>> systemA in subnet0: 10.0.1.200
>> systemB in subnet1: 10.0.3.200
>
>
>>> Is the NAT device also the routing device?  Would a static route work?
>>> -barry
>>
>> No, .. the IPTables box is a 'proxy server' between the two networks.
>
>
> I'm not sure what problem you're trying to solve. Are you just trying to adjust some existing firewall, where routing already exists -- i.e. if you disabled the firewall connections would work -- or do you also need to make changes to routing/NAT/etc. to actually get connections setup, regardless of firewall rules?

The 10.0.1.* network is the office network, where people sit and
interact with the outside. The 10.0.3.* network is the technical
network, where technicians do work on products. The two networks are
connected via the proxy server running iptables. The Back Server can
get out to the world at large, but only needs to connect internally to
the Main Server at 10.0.1.200. The idea is that the two networks are
mostly physically isolated (which they are), but the Back Server can
send backups to the Main Server, as do the other systems in the
office.

> I'm also a little fuzzy on your network topology, with respect to which boxes will mangle/route traffic between systemA and systemB. A topology text-igram might help.
>
> 10.0.1.200 -> something? nothing? -> iptables -> something? nothing? -> 10.0.3.200

External router         10.0.1.254
Main server             10.0.1.200
Proxy Server           10.0.1.253 (eth0)
                       10.0.3.254 (eth1)
Back Server             10.0.3.200

Need to allow a connection from the Main Server on 1.200 to the Backoffice
server on 3.200, .. which should be possible with an IPTables rule or
pair.

Any pointers or examples would be appreciated.

        Thanks!



        Lee


More information about the Cialug mailing list