Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Red Hat Linux (http://www.linux-archive.org/red-hat-linux/)
-   -   IPtables router / gateway (http://www.linux-archive.org/red-hat-linux/549463-iptables-router-gateway.html)

"Steven Buehler" 07-07-2011 05:39 PM

IPtables router / gateway
 
I am running some servers in a data center and I have now been informed that
since I have a Class C of IP's, that I have to be my own gateway as they are
making some changes because of a buyout. I have an extra server with 2 nics
to do this with, but everything I can find on the internet for iptables is
for NATing public IP's on eth0 to local IP's through eth1. I can do that as
I have for another company forwarding remote IP's to the LAN IP address of a
server. I need this server to be setup with the 22.22.22.1 IP as the
gateway and forward all other IP's in that netblock to the internal
interface and allow all of those machines total access to the internet
through this server as the gateway and don't want to use NAT as some of the
software I am running would have MAJOR problems with that. Plus, I don't
want to have to change all of the IP's that are already on the other servers
using the provider as the gateway.



Any help would be appreciated.

Thanks

Steve

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

"Steven Buehler" 07-07-2011 05:39 PM

IPtables router / gateway
 
I am running some servers in a data center and I have now been informed that
since I have a Class C of IP's, that I have to be my own gateway as they are
making some changes because of a buyout. I have an extra server with 2 nics
to do this with, but everything I can find on the internet for iptables is
for NATing public IP's on eth0 to local IP's through eth1. I can do that as
I have for another company forwarding remote IP's to the LAN IP address of a
server. I need this server to be setup with the 22.22.22.1 IP as the
gateway and forward all other IP's in that netblock to the internal
interface and allow all of those machines total access to the internet
through this server as the gateway and don't want to use NAT as some of the
software I am running would have MAJOR problems with that. Plus, I don't
want to have to change all of the IP's that are already on the other servers
using the provider as the gateway.



Any help would be appreciated.

Thanks

Steve

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Harry Hoffman 07-08-2011 01:23 PM

IPtables router / gateway
 
You need to change the default gateway on your servers to be the new Linux box and then use a interior routing protocol on that box to talk to its next hop router or setup static routes.
Cheers,
Harry

Steven Buehler <steve@ibushost.com> wrote:

>I am running some servers in a data center and I have now been informed that
>since I have a Class C of IP's, that I have to be my own gateway as they are
>making some changes because of a buyout. I have an extra server with 2 nics
>to do this with, but everything I can find on the internet for iptables is
>for NATing public IP's on eth0 to local IP's through eth1. I can do that as
>I have for another company forwarding remote IP's to the LAN IP address of a
>server. I need this server to be setup with the 22.22.22.1 IP as the
>gateway and forward all other IP's in that netblock to the internal
>interface and allow all of those machines total access to the internet
>through this server as the gateway and don't want to use NAT as some of the
>software I am running would have MAJOR problems with that. Plus, I don't
>want to have to change all of the IP's that are already on the other servers
>using the provider as the gateway.
>
>
>
>Any help would be appreciated.
>
>Thanks
>
>Steve
>
>--
>redhat-list mailing list
>unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>https://www.redhat.com/mailman/listinfo/redhat-list
>

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

"Steven Buehler" 07-08-2011 05:24 PM

IPtables router / gateway
 
> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Harry Hoffman
> Sent: Friday, July 08, 2011 8:24 AM
> To: General Red Hat Linux discussion list
> Subject: Re: IPtables router / gateway
>
> You need to change the default gateway on your servers to be the new Linux
> box and then use a interior routing protocol on that box to talk to its
next hop
> router or setup static routes.
> Cheers,
> Harry
>
> Steven Buehler <steve@ibushost.com> wrote:
>
> >I am running some servers in a data center and I have now been informed
> >that since I have a Class C of IP's, that I have to be my own gateway
> >as they are making some changes because of a buyout. I have an extra
> >server with 2 nics to do this with, but everything I can find on the
> >internet for iptables is for NATing public IP's on eth0 to local IP's
> >through eth1. I can do that as I have for another company forwarding
> remote IP's to the LAN IP address of a
> >server. I need this server to be setup with the 22.22.22.1 IP as the
> >gateway and forward all other IP's in that netblock to the internal
> >interface and allow all of those machines total access to the internet
> >through this server as the gateway and don't want to use NAT as some of
> >the software I am running would have MAJOR problems with that. Plus, I
> >don't want to have to change all of the IP's that are already on the
> >other servers using the provider as the gateway.
> >

Ok, so if my linux box is the gateway of 22.22.22.1. My other servers are
already setup to use 22.22.22.1 as the default gateway, but at the moment I
am NOT my own default gateway. I have to get my script correct first so
that the server is ready when the upstream provider switches me. Here is my
script to set it up. Can you see anything that is missing? I am sure that
I have the forwarding rules wrong as I want anything coming from one of my
servers to look like it is coming from it's IP (Example 22.22.22.28) and not
from the gateway IP. If I read correctly, the MASQUERADE would make all of
the IP's look like the gateway IP, correct? Anyway, here is my script for
the linux box to use as gateway router. My internal LAN address for eth1
is 192.168.3.12 but all of my internal servers need to use the public IP
that I have assigned to them. Some of my internal servers only have one NIC
on them (old).

#!/bin/sh
#
# To make sure that forwarding stays on, edit /etc/sysctl.conf and change 0
to 1 for
# net.ipv4.ip_forward = 1
# The location of the iptables and kernel module programs
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
IFCONFIG=/sbin/ifconfig
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed

#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF="eth0"
INTIF="eth1"
EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
's/.*://'`"
INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
's/.*://'`"
echo " External Interface: $EXTIF $EXTIP"
echo " Internal Interface: $INTIF $INTIP"


echo -en " loading modules: "

# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a

echo
"----------------------------------------------------------------------"

#Load the main body of the IPTABLES module - "iptable"
echo -en "ip_tables, "
$MODPROBE ip_tables

#Load the stateful connection tracking framework - "ip_conntrack"
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack

#Load the FTP tracking mechanism for full FTP tracking
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp

#Load the IRC tracking mechanism for full IRC tracking
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc

#Load the general IPTABLES NAT code - "iptable_nat"
echo -en "iptable_nat, "
$MODPROBE iptable_nat

#Loads the FTP NAT functionality into the core IPTABLES code
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp

echo -en "ipt_masquerade, "
$MODPROBE ipt_MASQUERADE

#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
echo -e "ip_nat_irc"
$MODPROBE ip_nat_irc

echo
"----------------------------------------------------------------------"

echo -e " Done loading modules.
"

#CRITICAL: Enable IP forwarding since it is disabled by default since
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

#Clearing any previous configuration
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
#$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
22 -j ACCEPT
$IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT


################################################## ##########################
###
# PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND PREROUTING FOR EACH
ONE #
################################################## ##########################
###

echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo " FWD: Allow all connections OUT and only existing and related ones
IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG

echo " Enabling SNAT (MASQUERADE) functionality on $INTIF"
$IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE

########################
# END FORWARDING RULES #
########################

$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
$IPTABLES -A INPUT -j REJECT --reject-with icmp-host-prohibited

$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

echo -e "
done.
"



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Harry Hoffman 07-08-2011 06:53 PM

IPtables router / gateway
 
Hi Steve,

I think you are over-thinking this problem...

If I understand you correctly (and please correct me if I'm wrong), you
want to act purely as a router. That is to pass traffic from one IP
Address to the next without any manipulation of the addresses (SNAT/DNAT).

You have a setup that looks something like:

ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS

Where all are public ip addresses.

In order to accomplish this all that you need to do is setup ip
forwarding on your linux gateway and then pass all forwarded packets.
You don't want to do any SNAT/DNAT at all.

Ensure that you have the following line in /etc/sysctl.conf:
net.ipv4.ip_forward = 1

Then ensure that /etc/sysconfig/iptables allows forwarding:
*filter
...
:FORWARD ACCEPT [0:0]
...


eth0 should be a different subnet then eth1. And since you already have
your clients setup to use eth1 as the default gateway then eth0 just
needs to know where to send things that aren't on it's own network.

Does this make sense?

Cheers,
Harry


On 07/08/2011 01:24 PM, Steven Buehler wrote:
>
>> -----Original Message-----
>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
>> bounces@redhat.com] On Behalf Of Harry Hoffman
>> Sent: Friday, July 08, 2011 8:24 AM
>> To: General Red Hat Linux discussion list
>> Subject: Re: IPtables router / gateway
>>
>> You need to change the default gateway on your servers to be the new Linux
>> box and then use a interior routing protocol on that box to talk to its
> next hop
>> router or setup static routes.
>> Cheers,
>> Harry
>>
>> Steven Buehler <steve@ibushost.com> wrote:
>>
>>> I am running some servers in a data center and I have now been informed
>>> that since I have a Class C of IP's, that I have to be my own gateway
>>> as they are making some changes because of a buyout. I have an extra
>>> server with 2 nics to do this with, but everything I can find on the
>>> internet for iptables is for NATing public IP's on eth0 to local IP's
>>> through eth1. I can do that as I have for another company forwarding
>> remote IP's to the LAN IP address of a
>>> server. I need this server to be setup with the 22.22.22.1 IP as the
>>> gateway and forward all other IP's in that netblock to the internal
>>> interface and allow all of those machines total access to the internet
>>> through this server as the gateway and don't want to use NAT as some of
>>> the software I am running would have MAJOR problems with that. Plus, I
>>> don't want to have to change all of the IP's that are already on the
>>> other servers using the provider as the gateway.
>>>
>
> Ok, so if my linux box is the gateway of 22.22.22.1. My other servers are
> already setup to use 22.22.22.1 as the default gateway, but at the moment I
> am NOT my own default gateway. I have to get my script correct first so
> that the server is ready when the upstream provider switches me. Here is my
> script to set it up. Can you see anything that is missing? I am sure that
> I have the forwarding rules wrong as I want anything coming from one of my
> servers to look like it is coming from it's IP (Example 22.22.22.28) and not
> from the gateway IP. If I read correctly, the MASQUERADE would make all of
> the IP's look like the gateway IP, correct? Anyway, here is my script for
> the linux box to use as gateway router. My internal LAN address for eth1
> is 192.168.3.12 but all of my internal servers need to use the public IP
> that I have assigned to them. Some of my internal servers only have one NIC
> on them (old).
>
> #!/bin/sh
> #
> # To make sure that forwarding stays on, edit /etc/sysctl.conf and change 0
> to 1 for
> # net.ipv4.ip_forward = 1
> # The location of the iptables and kernel module programs
> IPTABLES=/sbin/iptables
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> GREP=/bin/grep
> AWK=/bin/awk
> SED=/bin/sed
>
> #Setting the EXTERNAL and INTERNAL interfaces for the network
> EXTIF="eth0"
> INTIF="eth1"
> EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
> 's/.*://'`"
> INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
> 's/.*://'`"
> echo " External Interface: $EXTIF $EXTIP"
> echo " Internal Interface: $INTIF $INTIP"
>
>
> echo -en " loading modules: "
>
> # Need to verify that all modules have all required dependencies
> #
> echo " - Verifying that all kernel modules are ok"
> $DEPMOD -a
>
> echo
> "----------------------------------------------------------------------"
>
> #Load the main body of the IPTABLES module - "iptable"
> echo -en "ip_tables, "
> $MODPROBE ip_tables
>
> #Load the stateful connection tracking framework - "ip_conntrack"
> echo -en "ip_conntrack, "
> $MODPROBE ip_conntrack
>
> #Load the FTP tracking mechanism for full FTP tracking
> echo -en "ip_conntrack_ftp, "
> $MODPROBE ip_conntrack_ftp
>
> #Load the IRC tracking mechanism for full IRC tracking
> echo -en "ip_conntrack_irc, "
> $MODPROBE ip_conntrack_irc
>
> #Load the general IPTABLES NAT code - "iptable_nat"
> echo -en "iptable_nat, "
> $MODPROBE iptable_nat
>
> #Loads the FTP NAT functionality into the core IPTABLES code
> echo -en "ip_nat_ftp, "
> $MODPROBE ip_nat_ftp
>
> echo -en "ipt_masquerade, "
> $MODPROBE ipt_MASQUERADE
>
> #Loads the IRC NAT functionality into the core IPTABLES code
> # Required to support NAT of IRC DCC requests
> #
> # Disabled by default -- remove the "#" on the next line to activate
> #
> echo -e "ip_nat_irc"
> $MODPROBE ip_nat_irc
>
> echo
> "----------------------------------------------------------------------"
>
> echo -e " Done loading modules.
"
>
> #CRITICAL: Enable IP forwarding since it is disabled by default since
> echo " Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> #Clearing any previous configuration
> echo " Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> #$IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
>
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
> 22 -j ACCEPT
> $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
>
>
> ################################################## ##########################
> ###
> # PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND PREROUTING FOR EACH
> ONE #
> ################################################## ##########################
> ###
>
> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> echo " FWD: Allow all connections OUT and only existing and related ones
> IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
>
> echo " Enabling SNAT (MASQUERADE) functionality on $INTIF"
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
>
> ########################
> # END FORWARDING RULES #
> ########################
>
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> $IPTABLES -A INPUT -j REJECT --reject-with icmp-host-prohibited
>
> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> echo -e "
done.
"
>
>
>

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Harry Hoffman 07-08-2011 06:53 PM

IPtables router / gateway
 
Hi Steve,

I think you are over-thinking this problem...

If I understand you correctly (and please correct me if I'm wrong), you
want to act purely as a router. That is to pass traffic from one IP
Address to the next without any manipulation of the addresses (SNAT/DNAT).

You have a setup that looks something like:

ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS

Where all are public ip addresses.

In order to accomplish this all that you need to do is setup ip
forwarding on your linux gateway and then pass all forwarded packets.
You don't want to do any SNAT/DNAT at all.

Ensure that you have the following line in /etc/sysctl.conf:
net.ipv4.ip_forward = 1

Then ensure that /etc/sysconfig/iptables allows forwarding:
*filter
...
:FORWARD ACCEPT [0:0]
...


eth0 should be a different subnet then eth1. And since you already have
your clients setup to use eth1 as the default gateway then eth0 just
needs to know where to send things that aren't on it's own network.

Does this make sense?

Cheers,
Harry


On 07/08/2011 01:24 PM, Steven Buehler wrote:
>
>> -----Original Message-----
>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
>> bounces@redhat.com] On Behalf Of Harry Hoffman
>> Sent: Friday, July 08, 2011 8:24 AM
>> To: General Red Hat Linux discussion list
>> Subject: Re: IPtables router / gateway
>>
>> You need to change the default gateway on your servers to be the new Linux
>> box and then use a interior routing protocol on that box to talk to its
> next hop
>> router or setup static routes.
>> Cheers,
>> Harry
>>
>> Steven Buehler <steve@ibushost.com> wrote:
>>
>>> I am running some servers in a data center and I have now been informed
>>> that since I have a Class C of IP's, that I have to be my own gateway
>>> as they are making some changes because of a buyout. I have an extra
>>> server with 2 nics to do this with, but everything I can find on the
>>> internet for iptables is for NATing public IP's on eth0 to local IP's
>>> through eth1. I can do that as I have for another company forwarding
>> remote IP's to the LAN IP address of a
>>> server. I need this server to be setup with the 22.22.22.1 IP as the
>>> gateway and forward all other IP's in that netblock to the internal
>>> interface and allow all of those machines total access to the internet
>>> through this server as the gateway and don't want to use NAT as some of
>>> the software I am running would have MAJOR problems with that. Plus, I
>>> don't want to have to change all of the IP's that are already on the
>>> other servers using the provider as the gateway.
>>>
>
> Ok, so if my linux box is the gateway of 22.22.22.1. My other servers are
> already setup to use 22.22.22.1 as the default gateway, but at the moment I
> am NOT my own default gateway. I have to get my script correct first so
> that the server is ready when the upstream provider switches me. Here is my
> script to set it up. Can you see anything that is missing? I am sure that
> I have the forwarding rules wrong as I want anything coming from one of my
> servers to look like it is coming from it's IP (Example 22.22.22.28) and not
> from the gateway IP. If I read correctly, the MASQUERADE would make all of
> the IP's look like the gateway IP, correct? Anyway, here is my script for
> the linux box to use as gateway router. My internal LAN address for eth1
> is 192.168.3.12 but all of my internal servers need to use the public IP
> that I have assigned to them. Some of my internal servers only have one NIC
> on them (old).
>
> #!/bin/sh
> #
> # To make sure that forwarding stays on, edit /etc/sysctl.conf and change 0
> to 1 for
> # net.ipv4.ip_forward = 1
> # The location of the iptables and kernel module programs
> IPTABLES=/sbin/iptables
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> GREP=/bin/grep
> AWK=/bin/awk
> SED=/bin/sed
>
> #Setting the EXTERNAL and INTERNAL interfaces for the network
> EXTIF="eth0"
> INTIF="eth1"
> EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
> 's/.*://'`"
> INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e
> 's/.*://'`"
> echo " External Interface: $EXTIF $EXTIP"
> echo " Internal Interface: $INTIF $INTIP"
>
>
> echo -en " loading modules: "
>
> # Need to verify that all modules have all required dependencies
> #
> echo " - Verifying that all kernel modules are ok"
> $DEPMOD -a
>
> echo
> "----------------------------------------------------------------------"
>
> #Load the main body of the IPTABLES module - "iptable"
> echo -en "ip_tables, "
> $MODPROBE ip_tables
>
> #Load the stateful connection tracking framework - "ip_conntrack"
> echo -en "ip_conntrack, "
> $MODPROBE ip_conntrack
>
> #Load the FTP tracking mechanism for full FTP tracking
> echo -en "ip_conntrack_ftp, "
> $MODPROBE ip_conntrack_ftp
>
> #Load the IRC tracking mechanism for full IRC tracking
> echo -en "ip_conntrack_irc, "
> $MODPROBE ip_conntrack_irc
>
> #Load the general IPTABLES NAT code - "iptable_nat"
> echo -en "iptable_nat, "
> $MODPROBE iptable_nat
>
> #Loads the FTP NAT functionality into the core IPTABLES code
> echo -en "ip_nat_ftp, "
> $MODPROBE ip_nat_ftp
>
> echo -en "ipt_masquerade, "
> $MODPROBE ipt_MASQUERADE
>
> #Loads the IRC NAT functionality into the core IPTABLES code
> # Required to support NAT of IRC DCC requests
> #
> # Disabled by default -- remove the "#" on the next line to activate
> #
> echo -e "ip_nat_irc"
> $MODPROBE ip_nat_irc
>
> echo
> "----------------------------------------------------------------------"
>
> echo -e " Done loading modules.
"
>
> #CRITICAL: Enable IP forwarding since it is disabled by default since
> echo " Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
> #Clearing any previous configuration
> echo " Clearing any existing rules and setting default policy.."
> $IPTABLES -P INPUT ACCEPT
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -F OUTPUT
> #$IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -t nat -F
>
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports
> 22 -j ACCEPT
> $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
>
>
> ################################################## ##########################
> ###
> # PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND PREROUTING FOR EACH
> ONE #
> ################################################## ##########################
> ###
>
> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> echo " FWD: Allow all connections OUT and only existing and related ones
> IN"
> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> $IPTABLES -A FORWARD -j LOG
>
> echo " Enabling SNAT (MASQUERADE) functionality on $INTIF"
> $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
>
> ########################
> # END FORWARDING RULES #
> ########################
>
> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> $IPTABLES -A INPUT -j REJECT --reject-with icmp-host-prohibited
>
> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>
> echo -e "
done.
"
>
>
>

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

"Steven Buehler" 07-08-2011 07:12 PM

IPtables router / gateway
 
Makes perfect since. Thank you SOOOOOOOO much. I am headed to the data
center now to put this into place.

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Harry Hoffman
> Sent: Friday, July 08, 2011 1:53 PM
> To: General Red Hat Linux discussion list
> Subject: Re: IPtables router / gateway
>
> Hi Steve,
>
> I think you are over-thinking this problem...
>
> If I understand you correctly (and please correct me if I'm wrong), you
want
> to act purely as a router. That is to pass traffic from one IP Address to
the
> next without any manipulation of the addresses (SNAT/DNAT).
>
> You have a setup that looks something like:
>
> ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS
>
> Where all are public ip addresses.
>
> In order to accomplish this all that you need to do is setup ip forwarding
on
> your linux gateway and then pass all forwarded packets.
> You don't want to do any SNAT/DNAT at all.
>
> Ensure that you have the following line in /etc/sysctl.conf:
> net.ipv4.ip_forward = 1
>
> Then ensure that /etc/sysconfig/iptables allows forwarding:
> *filter
> ...
> :FORWARD ACCEPT [0:0]
> ...
>
>
> eth0 should be a different subnet then eth1. And since you already have
> your clients setup to use eth1 as the default gateway then eth0 just needs
to
> know where to send things that aren't on it's own network.
>
> Does this make sense?
>
> Cheers,
> Harry
>
>
> On 07/08/2011 01:24 PM, Steven Buehler wrote:
> >
> >> -----Original Message-----
> >> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> >> bounces@redhat.com] On Behalf Of Harry Hoffman
> >> Sent: Friday, July 08, 2011 8:24 AM
> >> To: General Red Hat Linux discussion list
> >> Subject: Re: IPtables router / gateway
> >>
> >> You need to change the default gateway on your servers to be the new
> >> Linux box and then use a interior routing protocol on that box to
> >> talk to its
> > next hop
> >> router or setup static routes.
> >> Cheers,
> >> Harry
> >>
> >> Steven Buehler <steve@ibushost.com> wrote:
> >>
> >>> I am running some servers in a data center and I have now been
> >>> informed that since I have a Class C of IP's, that I have to be my
> >>> own gateway as they are making some changes because of a buyout. I
> >>> have an extra server with 2 nics to do this with, but everything I
> >>> can find on the internet for iptables is for NATing public IP's on
> >>> eth0 to local IP's through eth1. I can do that as I have for
> >>> another company forwarding
> >> remote IP's to the LAN IP address of a
> >>> server. I need this server to be setup with the 22.22.22.1 IP as the
> >>> gateway and forward all other IP's in that netblock to the internal
> >>> interface and allow all of those machines total access to the
> >>> internet through this server as the gateway and don't want to use
> >>> NAT as some of the software I am running would have MAJOR problems
> >>> with that. Plus, I don't want to have to change all of the IP's
> >>> that are already on the other servers using the provider as the
gateway.
> >>>
> >
> > Ok, so if my linux box is the gateway of 22.22.22.1. My other servers
> > are already setup to use 22.22.22.1 as the default gateway, but at the
> > moment I am NOT my own default gateway. I have to get my script
> > correct first so that the server is ready when the upstream provider
> > switches me. Here is my script to set it up. Can you see anything
> > that is missing? I am sure that I have the forwarding rules wrong as
> > I want anything coming from one of my servers to look like it is
> > coming from it's IP (Example 22.22.22.28) and not from the gateway IP.
> > If I read correctly, the MASQUERADE would make all of the IP's look
> > like the gateway IP, correct? Anyway, here is my script for the linux
> > box to use as gateway router. My internal LAN address for eth1 is
> > 192.168.3.12 but all of my internal servers need to use the public IP
> > that I have assigned to them. Some of my internal servers only have one
> NIC on them (old).
> >
> > #!/bin/sh
> > #
> > # To make sure that forwarding stays on, edit /etc/sysctl.conf and
> > change 0 to 1 for # net.ipv4.ip_forward = 1 # The location of the
> > iptables and kernel module programs IPTABLES=/sbin/iptables
> > DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> > GREP=/bin/grep AWK=/bin/awk SED=/bin/sed
> >
> > #Setting the EXTERNAL and INTERNAL interfaces for the network
> > EXTIF="eth0"
> > INTIF="eth1"
> > EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' |
> > $SED -e 's/.*://'`"
> > INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' |
> > $SED -e 's/.*://'`"
> > echo " External Interface: $EXTIF $EXTIP"
> > echo " Internal Interface: $INTIF $INTIP"
> >
> >
> > echo -en " loading modules: "
> >
> > # Need to verify that all modules have all required dependencies #
> > echo " - Verifying that all kernel modules are ok"
> > $DEPMOD -a
> >
> > echo
> > "----------------------------------------------------------------------"
> >
> > #Load the main body of the IPTABLES module - "iptable"
> > echo -en "ip_tables, "
> > $MODPROBE ip_tables
> >
> > #Load the stateful connection tracking framework - "ip_conntrack"
> > echo -en "ip_conntrack, "
> > $MODPROBE ip_conntrack
> >
> > #Load the FTP tracking mechanism for full FTP tracking echo -en
> > "ip_conntrack_ftp, "
> > $MODPROBE ip_conntrack_ftp
> >
> > #Load the IRC tracking mechanism for full IRC tracking echo -en
> > "ip_conntrack_irc, "
> > $MODPROBE ip_conntrack_irc
> >
> > #Load the general IPTABLES NAT code - "iptable_nat"
> > echo -en "iptable_nat, "
> > $MODPROBE iptable_nat
> >
> > #Loads the FTP NAT functionality into the core IPTABLES code echo -en
> > "ip_nat_ftp, "
> > $MODPROBE ip_nat_ftp
> >
> > echo -en "ipt_masquerade, "
> > $MODPROBE ipt_MASQUERADE
> >
> > #Loads the IRC NAT functionality into the core IPTABLES code #
> > Required to support NAT of IRC DCC requests # # Disabled by default --
> > remove the "#" on the next line to activate # echo -e "ip_nat_irc"
> > $MODPROBE ip_nat_irc
> >
> > echo
> > "----------------------------------------------------------------------"
> >
> > echo -e " Done loading modules.
"
> >
> > #CRITICAL: Enable IP forwarding since it is disabled by default since
> > echo " Enabling forwarding.."
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> >
> > #Clearing any previous configuration
> > echo " Clearing any existing rules and setting default policy.."
> > $IPTABLES -P INPUT ACCEPT
> > $IPTABLES -F INPUT
> > $IPTABLES -P OUTPUT ACCEPT
> > $IPTABLES -F OUTPUT
> > #$IPTABLES -P FORWARD DROP
> > $IPTABLES -F FORWARD
> > $IPTABLES -t nat -F
> >
> > $IPTABLES -A INPUT -i lo -j ACCEPT
> > $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport
> > --dports
> > 22 -j ACCEPT
> > $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> >
> >
> >
> ################################################## ########
> ############
> > ######
> > ###
> > # PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND
> PREROUTING FOR
> > EACH ONE #
> >
> ################################################## ########
> ############
> > ######
> > ###
> >
> > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> >
> > echo " FWD: Allow all connections OUT and only existing and related
ones
> > IN"
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> > ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o
> $EXTIF
> > -j ACCEPT $IPTABLES -A FORWARD -j LOG
> >
> > echo " Enabling SNAT (MASQUERADE) functionality on $INTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
> >
> > ########################
> > # END FORWARDING RULES #
> > ########################
> >
> > $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT $IPTABLES
> > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> >
> > $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > echo -e "
done.
"
> >
> >
> >
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

"Steven Buehler" 07-08-2011 07:12 PM

IPtables router / gateway
 
Makes perfect since. Thank you SOOOOOOOO much. I am headed to the data
center now to put this into place.

> -----Original Message-----
> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> bounces@redhat.com] On Behalf Of Harry Hoffman
> Sent: Friday, July 08, 2011 1:53 PM
> To: General Red Hat Linux discussion list
> Subject: Re: IPtables router / gateway
>
> Hi Steve,
>
> I think you are over-thinking this problem...
>
> If I understand you correctly (and please correct me if I'm wrong), you
want
> to act purely as a router. That is to pass traffic from one IP Address to
the
> next without any manipulation of the addresses (SNAT/DNAT).
>
> You have a setup that looks something like:
>
> ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS
>
> Where all are public ip addresses.
>
> In order to accomplish this all that you need to do is setup ip forwarding
on
> your linux gateway and then pass all forwarded packets.
> You don't want to do any SNAT/DNAT at all.
>
> Ensure that you have the following line in /etc/sysctl.conf:
> net.ipv4.ip_forward = 1
>
> Then ensure that /etc/sysconfig/iptables allows forwarding:
> *filter
> ...
> :FORWARD ACCEPT [0:0]
> ...
>
>
> eth0 should be a different subnet then eth1. And since you already have
> your clients setup to use eth1 as the default gateway then eth0 just needs
to
> know where to send things that aren't on it's own network.
>
> Does this make sense?
>
> Cheers,
> Harry
>
>
> On 07/08/2011 01:24 PM, Steven Buehler wrote:
> >
> >> -----Original Message-----
> >> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
> >> bounces@redhat.com] On Behalf Of Harry Hoffman
> >> Sent: Friday, July 08, 2011 8:24 AM
> >> To: General Red Hat Linux discussion list
> >> Subject: Re: IPtables router / gateway
> >>
> >> You need to change the default gateway on your servers to be the new
> >> Linux box and then use a interior routing protocol on that box to
> >> talk to its
> > next hop
> >> router or setup static routes.
> >> Cheers,
> >> Harry
> >>
> >> Steven Buehler <steve@ibushost.com> wrote:
> >>
> >>> I am running some servers in a data center and I have now been
> >>> informed that since I have a Class C of IP's, that I have to be my
> >>> own gateway as they are making some changes because of a buyout. I
> >>> have an extra server with 2 nics to do this with, but everything I
> >>> can find on the internet for iptables is for NATing public IP's on
> >>> eth0 to local IP's through eth1. I can do that as I have for
> >>> another company forwarding
> >> remote IP's to the LAN IP address of a
> >>> server. I need this server to be setup with the 22.22.22.1 IP as the
> >>> gateway and forward all other IP's in that netblock to the internal
> >>> interface and allow all of those machines total access to the
> >>> internet through this server as the gateway and don't want to use
> >>> NAT as some of the software I am running would have MAJOR problems
> >>> with that. Plus, I don't want to have to change all of the IP's
> >>> that are already on the other servers using the provider as the
gateway.
> >>>
> >
> > Ok, so if my linux box is the gateway of 22.22.22.1. My other servers
> > are already setup to use 22.22.22.1 as the default gateway, but at the
> > moment I am NOT my own default gateway. I have to get my script
> > correct first so that the server is ready when the upstream provider
> > switches me. Here is my script to set it up. Can you see anything
> > that is missing? I am sure that I have the forwarding rules wrong as
> > I want anything coming from one of my servers to look like it is
> > coming from it's IP (Example 22.22.22.28) and not from the gateway IP.
> > If I read correctly, the MASQUERADE would make all of the IP's look
> > like the gateway IP, correct? Anyway, here is my script for the linux
> > box to use as gateway router. My internal LAN address for eth1 is
> > 192.168.3.12 but all of my internal servers need to use the public IP
> > that I have assigned to them. Some of my internal servers only have one
> NIC on them (old).
> >
> > #!/bin/sh
> > #
> > # To make sure that forwarding stays on, edit /etc/sysctl.conf and
> > change 0 to 1 for # net.ipv4.ip_forward = 1 # The location of the
> > iptables and kernel module programs IPTABLES=/sbin/iptables
> > DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
> IFCONFIG=/sbin/ifconfig
> > GREP=/bin/grep AWK=/bin/awk SED=/bin/sed
> >
> > #Setting the EXTERNAL and INTERNAL interfaces for the network
> > EXTIF="eth0"
> > INTIF="eth1"
> > EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' |
> > $SED -e 's/.*://'`"
> > INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' |
> > $SED -e 's/.*://'`"
> > echo " External Interface: $EXTIF $EXTIP"
> > echo " Internal Interface: $INTIF $INTIP"
> >
> >
> > echo -en " loading modules: "
> >
> > # Need to verify that all modules have all required dependencies #
> > echo " - Verifying that all kernel modules are ok"
> > $DEPMOD -a
> >
> > echo
> > "----------------------------------------------------------------------"
> >
> > #Load the main body of the IPTABLES module - "iptable"
> > echo -en "ip_tables, "
> > $MODPROBE ip_tables
> >
> > #Load the stateful connection tracking framework - "ip_conntrack"
> > echo -en "ip_conntrack, "
> > $MODPROBE ip_conntrack
> >
> > #Load the FTP tracking mechanism for full FTP tracking echo -en
> > "ip_conntrack_ftp, "
> > $MODPROBE ip_conntrack_ftp
> >
> > #Load the IRC tracking mechanism for full IRC tracking echo -en
> > "ip_conntrack_irc, "
> > $MODPROBE ip_conntrack_irc
> >
> > #Load the general IPTABLES NAT code - "iptable_nat"
> > echo -en "iptable_nat, "
> > $MODPROBE iptable_nat
> >
> > #Loads the FTP NAT functionality into the core IPTABLES code echo -en
> > "ip_nat_ftp, "
> > $MODPROBE ip_nat_ftp
> >
> > echo -en "ipt_masquerade, "
> > $MODPROBE ipt_MASQUERADE
> >
> > #Loads the IRC NAT functionality into the core IPTABLES code #
> > Required to support NAT of IRC DCC requests # # Disabled by default --
> > remove the "#" on the next line to activate # echo -e "ip_nat_irc"
> > $MODPROBE ip_nat_irc
> >
> > echo
> > "----------------------------------------------------------------------"
> >
> > echo -e " Done loading modules.
"
> >
> > #CRITICAL: Enable IP forwarding since it is disabled by default since
> > echo " Enabling forwarding.."
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> >
> > #Clearing any previous configuration
> > echo " Clearing any existing rules and setting default policy.."
> > $IPTABLES -P INPUT ACCEPT
> > $IPTABLES -F INPUT
> > $IPTABLES -P OUTPUT ACCEPT
> > $IPTABLES -F OUTPUT
> > #$IPTABLES -P FORWARD DROP
> > $IPTABLES -F FORWARD
> > $IPTABLES -t nat -F
> >
> > $IPTABLES -A INPUT -i lo -j ACCEPT
> > $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport
> > --dports
> > 22 -j ACCEPT
> > $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> >
> >
> >
> ################################################## ########
> ############
> > ######
> > ###
> > # PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND
> PREROUTING FOR
> > EACH ONE #
> >
> ################################################## ########
> ############
> > ######
> > ###
> >
> > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> >
> > echo " FWD: Allow all connections OUT and only existing and related
ones
> > IN"
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
> > ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o
> $EXTIF
> > -j ACCEPT $IPTABLES -A FORWARD -j LOG
> >
> > echo " Enabling SNAT (MASQUERADE) functionality on $INTIF"
> > $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
> >
> > ########################
> > # END FORWARDING RULES #
> > ########################
> >
> > $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT $IPTABLES
> > -A INPUT -j REJECT --reject-with icmp-host-prohibited
> >
> > $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> >
> > echo -e "
done.
"
> >
> >
> >
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

Harry Hoffman 07-08-2011 07:49 PM

IPtables router / gateway
 
Steve,

One other thing is that for new incoming traffic you're upstream ISP
will need to know to forward all of your /24 traffic to your linux box
otherwise things won't work.

Cheers,
Harry

On 07/08/2011 03:12 PM, Steven Buehler wrote:
> Makes perfect since. Thank you SOOOOOOOO much. I am headed to the data
> center now to put this into place.
>
>> -----Original Message-----
>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
>> bounces@redhat.com] On Behalf Of Harry Hoffman
>> Sent: Friday, July 08, 2011 1:53 PM
>> To: General Red Hat Linux discussion list
>> Subject: Re: IPtables router / gateway
>>
>> Hi Steve,
>>
>> I think you are over-thinking this problem...
>>
>> If I understand you correctly (and please correct me if I'm wrong), you
> want
>> to act purely as a router. That is to pass traffic from one IP Address to
> the
>> next without any manipulation of the addresses (SNAT/DNAT).
>>
>> You have a setup that looks something like:
>>
>> ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS
>>
>> Where all are public ip addresses.
>>
>> In order to accomplish this all that you need to do is setup ip forwarding
> on
>> your linux gateway and then pass all forwarded packets.
>> You don't want to do any SNAT/DNAT at all.
>>
>> Ensure that you have the following line in /etc/sysctl.conf:
>> net.ipv4.ip_forward = 1
>>
>> Then ensure that /etc/sysconfig/iptables allows forwarding:
>> *filter
>> ...
>> :FORWARD ACCEPT [0:0]
>> ...
>>
>>
>> eth0 should be a different subnet then eth1. And since you already have
>> your clients setup to use eth1 as the default gateway then eth0 just needs
> to
>> know where to send things that aren't on it's own network.
>>
>> Does this make sense?
>>
>> Cheers,
>> Harry
>>
>>
>> On 07/08/2011 01:24 PM, Steven Buehler wrote:
>>>
>>>> -----Original Message-----
>>>> From: redhat-list-bounces@redhat.com [mailto:redhat-list-
>>>> bounces@redhat.com] On Behalf Of Harry Hoffman
>>>> Sent: Friday, July 08, 2011 8:24 AM
>>>> To: General Red Hat Linux discussion list
>>>> Subject: Re: IPtables router / gateway
>>>>
>>>> You need to change the default gateway on your servers to be the new
>>>> Linux box and then use a interior routing protocol on that box to
>>>> talk to its
>>> next hop
>>>> router or setup static routes.
>>>> Cheers,
>>>> Harry
>>>>
>>>> Steven Buehler <steve@ibushost.com> wrote:
>>>>
>>>>> I am running some servers in a data center and I have now been
>>>>> informed that since I have a Class C of IP's, that I have to be my
>>>>> own gateway as they are making some changes because of a buyout. I
>>>>> have an extra server with 2 nics to do this with, but everything I
>>>>> can find on the internet for iptables is for NATing public IP's on
>>>>> eth0 to local IP's through eth1. I can do that as I have for
>>>>> another company forwarding
>>>> remote IP's to the LAN IP address of a
>>>>> server. I need this server to be setup with the 22.22.22.1 IP as the
>>>>> gateway and forward all other IP's in that netblock to the internal
>>>>> interface and allow all of those machines total access to the
>>>>> internet through this server as the gateway and don't want to use
>>>>> NAT as some of the software I am running would have MAJOR problems
>>>>> with that. Plus, I don't want to have to change all of the IP's
>>>>> that are already on the other servers using the provider as the
> gateway.
>>>>>
>>>
>>> Ok, so if my linux box is the gateway of 22.22.22.1. My other servers
>>> are already setup to use 22.22.22.1 as the default gateway, but at the
>>> moment I am NOT my own default gateway. I have to get my script
>>> correct first so that the server is ready when the upstream provider
>>> switches me. Here is my script to set it up. Can you see anything
>>> that is missing? I am sure that I have the forwarding rules wrong as
>>> I want anything coming from one of my servers to look like it is
>>> coming from it's IP (Example 22.22.22.28) and not from the gateway IP.
>>> If I read correctly, the MASQUERADE would make all of the IP's look
>>> like the gateway IP, correct? Anyway, here is my script for the linux
>>> box to use as gateway router. My internal LAN address for eth1 is
>>> 192.168.3.12 but all of my internal servers need to use the public IP
>>> that I have assigned to them. Some of my internal servers only have one
>> NIC on them (old).
>>>
>>> #!/bin/sh
>>> #
>>> # To make sure that forwarding stays on, edit /etc/sysctl.conf and
>>> change 0 to 1 for # net.ipv4.ip_forward = 1 # The location of the
>>> iptables and kernel module programs IPTABLES=/sbin/iptables
>>> DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe
>> IFCONFIG=/sbin/ifconfig
>>> GREP=/bin/grep AWK=/bin/awk SED=/bin/sed
>>>
>>> #Setting the EXTERNAL and INTERNAL interfaces for the network
>>> EXTIF="eth0"
>>> INTIF="eth1"
>>> EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' |
>>> $SED -e 's/.*://'`"
>>> INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' |
>>> $SED -e 's/.*://'`"
>>> echo " External Interface: $EXTIF $EXTIP"
>>> echo " Internal Interface: $INTIF $INTIP"
>>>
>>>
>>> echo -en " loading modules: "
>>>
>>> # Need to verify that all modules have all required dependencies #
>>> echo " - Verifying that all kernel modules are ok"
>>> $DEPMOD -a
>>>
>>> echo
>>> "----------------------------------------------------------------------"
>>>
>>> #Load the main body of the IPTABLES module - "iptable"
>>> echo -en "ip_tables, "
>>> $MODPROBE ip_tables
>>>
>>> #Load the stateful connection tracking framework - "ip_conntrack"
>>> echo -en "ip_conntrack, "
>>> $MODPROBE ip_conntrack
>>>
>>> #Load the FTP tracking mechanism for full FTP tracking echo -en
>>> "ip_conntrack_ftp, "
>>> $MODPROBE ip_conntrack_ftp
>>>
>>> #Load the IRC tracking mechanism for full IRC tracking echo -en
>>> "ip_conntrack_irc, "
>>> $MODPROBE ip_conntrack_irc
>>>
>>> #Load the general IPTABLES NAT code - "iptable_nat"
>>> echo -en "iptable_nat, "
>>> $MODPROBE iptable_nat
>>>
>>> #Loads the FTP NAT functionality into the core IPTABLES code echo -en
>>> "ip_nat_ftp, "
>>> $MODPROBE ip_nat_ftp
>>>
>>> echo -en "ipt_masquerade, "
>>> $MODPROBE ipt_MASQUERADE
>>>
>>> #Loads the IRC NAT functionality into the core IPTABLES code #
>>> Required to support NAT of IRC DCC requests # # Disabled by default --
>>> remove the "#" on the next line to activate # echo -e "ip_nat_irc"
>>> $MODPROBE ip_nat_irc
>>>
>>> echo
>>> "----------------------------------------------------------------------"
>>>
>>> echo -e " Done loading modules.
"
>>>
>>> #CRITICAL: Enable IP forwarding since it is disabled by default since
>>> echo " Enabling forwarding.."
>>> echo "1" > /proc/sys/net/ipv4/ip_forward
>>>
>>> #Clearing any previous configuration
>>> echo " Clearing any existing rules and setting default policy.."
>>> $IPTABLES -P INPUT ACCEPT
>>> $IPTABLES -F INPUT
>>> $IPTABLES -P OUTPUT ACCEPT
>>> $IPTABLES -F OUTPUT
>>> #$IPTABLES -P FORWARD DROP
>>> $IPTABLES -F FORWARD
>>> $IPTABLES -t nat -F
>>>
>>> $IPTABLES -A INPUT -i lo -j ACCEPT
>>> $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport
>>> --dports
>>> 22 -j ACCEPT
>>> $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
>>>
>>>
>>>
>> ################################################## ########
>> ############
>>> ######
>>> ###
>>> # PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND
>> PREROUTING FOR
>>> EACH ONE #
>>>
>> ################################################## ########
>> ############
>>> ######
>>> ###
>>>
>>> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
>>> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>>>
>>> echo " FWD: Allow all connections OUT and only existing and related
> ones
>>> IN"
>>> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
>>> ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o
>> $EXTIF
>>> -j ACCEPT $IPTABLES -A FORWARD -j LOG
>>>
>>> echo " Enabling SNAT (MASQUERADE) functionality on $INTIF"
>>> $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
>>>
>>> ########################
>>> # END FORWARDING RULES #
>>> ########################
>>>
>>> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT $IPTABLES
>>> -A INPUT -j REJECT --reject-with icmp-host-prohibited
>>>
>>> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>>
>>> echo -e "
done.
"
>>>
>>>
>>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list


All times are GMT. The time now is 07:50 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.