From: Jeetu Golani <jeetu.golani@gmail.com>
To: netfilter@vger.kernel.org
Cc: Arun Khan <arun.khan@silverarc.biz>, Erle Pereira <biz@erlepereira.com>
Subject: VLAN et iptables
Date: Sat, 3 Apr 2010 09:27:53 +0530 [thread overview]
Message-ID: <201004030927.53528.jeetu.golani@gmail.com> (raw)
Hi,
I have a Debian system that I am trying to configure as a router for a MPLS
VPN setup. I'm having trouble setting up the iptables rules to forward
internet traffic from remote locations. Admittedly this isn't my forte
therefore I would sincerely appreciate any help :)
Network Description:
At the head office, the ISP facing router has two physical NICs (eth0 and
eth1).
eth0 is connected to the head office "local" LAN 192.168.0.0/24.
eth1 has two VLAN interfaces 105 and 689 (vlan105 and vlan689)
connecting to the Service Provider's (SP) Network
Termination Unit (NTU)
vlan105 carries VPN traffic coming in from remote locations e.g two
LANs subnets over MPLS VPN (a) 192.168.1.0/24 and (b) 172.16.0.0/16
vlan689 carries company <> INTERNET traffic
Internet access for "remote" locations, all Internet traffic comes to
above router over vlan105 sub interface and have it SNAT'd/Masquerade
to the Internet over vlan689 interface.
---------------------
The following is the iptables script I have tried however it doesn't work:
INTIF1="eth0" # physical interface for local LAN
INTIF2="vlan105" # VLAN iface for VPN traffic to remote location
EXTIF="vlan689" # VLAN iface for INTERNET traffic
EXTIP="x.x.x.x" #public IP for our CE router
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
# for Matunga subnet 192.168.0.0/24
iptables -A FORWARD -i $EXTIF -o $INTIF1 -d 192.168.0.0/24 -m state --
state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF1 -o $EXTIF -s 192.168.0.0/24 -m -j
ACCEPT
# for Silvassa subnet 172.16.0.0/16
iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 172.16.0.0/16 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 172.16.0.0/16 -m -j ACCEPT
# for Colaba subnet 192.168.1.0/24
iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 192.168.1.0/24 -m state --
state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 192.168.1.0/24 -m -j
ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
--------------------------------------------
Would sincerely appreciate any help. Thanks
Bye for now
next reply other threads:[~2010-04-03 3:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-04-03 3:57 Jeetu Golani [this message]
2010-04-03 5:46 ` VLAN et iptables elko
[not found] ` <20100403080147.04d1add3@catlap>
2010-04-03 7:58 ` Jeetu Golani
2010-04-05 6:02 ` Pieter Smit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201004030927.53528.jeetu.golani@gmail.com \
--to=jeetu.golani@gmail.com \
--cc=arun.khan@silverarc.biz \
--cc=biz@erlepereira.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).