Tux

...making Linux just a little more fun!

ip forwarding/ ip masquerading???

CDT IS Administrator Cpl Room [jroom.hq at defenceacademy.mod.uk]
Wed, 13 Dec 2006 13:28:11 -0000

Hi,

I'm totally new to Linux and IT fullstop, so please teach me to suck eggs!! I have been asked to build a Linux (server) firewall it is to sit between a small part of our LAN and the rest of the LAN. The small part of the network is called GB and is on192.*.*.2, it goes straight into the firewall eth0 192.*.*2. Eth1 is 10.*.*.1, now whatever I do I cannot get the GB to see the rest of the network, I have enabled ip forwarding. I've tried a couple of things, 'iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j MASQUERADE' this came back saying POSTROUTING and -i couldn't be used togeather! When i took -i out I got an error saying 'invalid argument'.

Regards,

John

Email: jroom.hq@da.mod.uk


Top    Back


Neil Youngman [ny at youngman.org.uk]
Wed, 13 Dec 2006 15:01:15 +0000

On or around Wednesday 13 December 2006 13:28, CDT IS Administrator Cpl Room reorganised a bunch of electrons to form the message:

> Hi,
>
> I'm totally new to Linux and IT fullstop, so please teach me to suck
> eggs!!  I have been asked to build a Linux (server) firewall it is to
> sit between a small part of our LAN and the rest of the LAN.  The small
> part of the network is called GB and is on192.*.*.2, it goes straight
> into the firewall eth0 192.*.*2.  Eth1 is 10.*.*.1, now whatever I do I
> cannot get the GB to see the rest of the network, I have enabled ip
> forwarding.  I've tried a couple of things, 'iptables -t nat -A
> POSTROUTING -i eth1 -o eth0 -j MASQUERADE' this came back saying
> POSTROUTING and -i couldn't be used togeather!  When i took -i out I got
> an error saying 'invalid argument'.

I haven't set up a firewall using iptable, so I can only suggest that http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html looks like a helpful document.

You might also want to look into smoothwall as an option?

Neil Youngman


Top    Back


Thomas Adam [thomas.adam22 at gmail.com]
Wed, 13 Dec 2006 15:13:18 +0000

On Wed, 13 Dec 2006 15:01:15 +0000 Neil Youngman <ny@youngman.org.uk> wrote:

> On or around Wednesday 13 December 2006 13:28, CDT IS Administrator
> Cpl Room reorganised a bunch of electrons to form the message:
> > Hi,
> >
> > I'm totally new to Linux and IT fullstop, so please teach me to suck
> > eggs!!  I have been asked to build a Linux (server) firewall it is
> > to sit between a small part of our LAN and the rest of the LAN.
> > The small part of the network is called GB and is on192.*.*.2, it
> > goes straight into the firewall eth0 192.*.*2.  Eth1 is 10.*.*.1,
> > now whatever I do I cannot get the GB to see the rest of the
> > network, I have enabled ip forwarding.  I've tried a couple of
> > things, 'iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j
> > MASQUERADE' this came back saying POSTROUTING and -i couldn't be
> > used togeather!  When i took -i out I got an error saying 'invalid
> > argument'.
> 
> I haven't set up a firewall using iptable, so I can only suggest
> that http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.html
> looks like a helpful document.
> 
> You might also want to look into smoothwall as an option?

Smoothwall express 3 is due to be released any moment now (the ISO is built). AF2 has been released, as has CF.

(Shameless plug, but they pay my wages, so...) :P

I note the OP works for the MOD -- I'd recommend Advanced Firewall in that case if it's anything seriously public-facing. Express (which is the GPL version) has some very nice features to it.

-- Thomas Adam


Top    Back


Benjamin A. Okopnik [ben at linuxgazette.net]
Wed, 13 Dec 2006 10:08:33 -0600

Hi, John -

You're probably unaware of this, but you sent your message in HTML format. This doubled the size of your message without any benefit in return, and will create extra work for our Mailbag editor.

Please change your mailer's settings to stop it from doing this. For more info, please see <http://expita.com/nomime.html>.

On Wed, Dec 13, 2006 at 01:28:11PM -0000, CDT IS Administrator Cpl Room wrote:

> 
>    Hi,
> 
>    I'm totally new to Linux and IT fullstop, so please teach me to suck eggs!!
>    I have been asked to build a Linux (server) firewall it is to sit between a
>    small part of our LAN and the rest of the LAN.  The small part of the
>    network is called GB and is on192.*.*.2, it goes straight into the firewall
>    eth0 192.*.*2.  Eth1 is 10.*.*.1, now whatever I do I cannot get the GB to
>    see the rest of the network, I have enabled ip forwarding.  I've tried a
>    couple of things, 'iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j
>    MASQUERADE' this came back saying POSTROUTING and -i couldn't be used
>    togeather!  When i took -i out I got an error saying 'invalid argument'.

My question would be "why are you fighting an unnecessary battle in the first place?" The traditional way to set up a segmented LAN is to use the same RFC-1918 address range (i.e., either 10.0.0.0/8 or 192.168.0.0/16) and split it up using subnet masks. This allows for easy routing (and lots less typing if you're setting up DNS, as well. :)

Doing the former allows you to use hubs or switches; doing it the way you are requires a router. Of course, your requirement for a firewall supercedes all of that (i.e., you need a router anyway), but making the original job harder than it needs to be is rather pointless.

In any case, if you want to route from one segment to the other, here's a possible option. I'm going to pick class C (/24) as a random netmask for your segment; modify at will, of course. Note that this is untested code: it should work, but no guarantees.

# Flush the current set of rules - start 'F'resh
iptables -F
# Masquerade anything coming from the specified network
iptables -t nat -I POSTROUTING -j MASQUERADE -s 192.168.0.0/24
# Forward packets coming from 
iptables -I FORWARD -d 192.168.0.0/24 -j ACCEPT
# Forward packets going to 
iptables -I FORWARD -s 192.168.0.0/24 -j ACCEPT
Do, of course, remember to enable forwarding in the first place:

echo 1 > /proc/sys/net/ipv4/ip_forward
-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *

Top    Back