Gateway With Multiple Internal Networks

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Gateway With Multiple Internal Networks
@ 2011-10-14  3:06 Aaron Clausen
  2011-10-14 16:21 ` fuzzy_4711
  0 siblings, 1 reply; 2+ messages in thread
From: Aaron Clausen @ 2011-10-14  3:06 UTC (permalink / raw)
  To: netfilter

This is driving me crazy, and I cannot seem to get it working
properly.  I have a gateway with two internal networks served by
different interfaces:

eth0 - External interface
eth1 - Internal network #1
eth2 - Internal network #2
tun0 - OpenVPN server interface

Basically I want the computers on eth1 and tun0 to be able to have
full access to each other and to workstations on eth2.  Computers on
eth2 should only have access via NAT redirection to any machines on
eth1 and tun0, with the exception of one server on internal network #2
which I would like to have full access to any machines on eth1 and
tun0 interfaces.

I have it semi-working, but what appears is that the server on the
eth2 network that I want to have full access to eth1 and tun0 seems to
basically stop being able to be accessed from computers on those
networks for certain periods of time.  If I start pinging from that
computer, the outside computers can start seeing it again.

I'm no wizard at iptables, so have come up with this iptables ruleset
via Webmin.  Apologies for it being chaotic and messy.

*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.5 -j SNAT --to-source
192.168.1.254
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.221 -j SNAT --to-source
192.168.1.254
-A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT
--to-destination 192.168.1.5
-A PREROUTING -p tcp -m tcp -d xxx.xxx.xxx.xxx --dport 8080 -j DNAT
--to-destination 192.168.1.221
-A PREROUTING -s 192.168.1.21 -i eth1 -j ACCEPT
-A PREROUTING -s 192.168.1.222 -i eth1 -j ACCEPT
-A PREROUTING -p tcp -m tcp -m state -s 192.168.1.0/24 ! -d
192.168.1.0/24 -i eth1 --dport 80 --sport 1024:65535 --state
NEW,ESTABLISHED,RELATED -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp -i eth0 --dport 25 -j DNAT
--to-destination 192.168.1.5:25
-A PREROUTING -p tcp -m tcp -i eth0 --dport 53 -j DNAT
--to-destination 192.168.1.5:53
-A POSTROUTING -s 10.0.2.0/23 -d 192.168.1.5 -j SNAT --to-source 192.168.1.254
-A PREROUTING -p udp -m udp -i eth0 --dport 53 -j DNAT
--to-destination 192.168.1.5:53
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j DNAT
--to-destination 192.168.1.5:80
-A PREROUTING -p tcp -m tcp -i eth0 --dport 110 -j DNAT
--to-destination 192.168.1.2:110
-A PREROUTING -p tcp -m tcp -i eth0 --dport 143 -j DNAT
--to-destination 192.168.1.2:143
-A PREROUTING -p tcp -m tcp -i eth0 --dport 2525 -j DNAT
--to-destination 192.168.1.2:2525
-A PREROUTING -p tcp -m tcp -i eth0 --dport 8000 -j DNAT
--to-destination 192.168.1.2:8000
-A PREROUTING -p tcp -m tcp -i eth0 --dport 8080 -j DNAT
--to-destination 192.168.1.221:8080
-A PREROUTING -j ACCEPT
-A POSTROUTING -s 10.0.2.0/23 -d 192.168.1.221 -j SNAT --to-source 192.168.1.254
-A POSTROUTING ! -s 192.168.0.0/255.255.248.0 -o tun0 -j SNAT
--to-source 192.168.1.254
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
*mangle
:PREROUTING ACCEPT [311:25759]
:INPUT ACCEPT [311:25759]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [228:49714]
:POSTROUTING ACCEPT [228:49714]
COMMIT
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A FORWARD -s 10.0.2.2 -j ACCEPT
-A FORWARD -d 10.0.2.2 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A FORWARD -m state -d 192.168.1.0/24 -i eth2 --state
ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state -i eth2 -o tun+ --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -m state -i eth0 -o eth1 --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -p tcp -m tcp -s 10.0.2.0/23 -d 192.168.1.2 --dport 8530 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 10.0.2.0/23 -d 192.168.1.5 --dport 80 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 10.0.2.0/23 -d 192.168.1.221 --dport 8080 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -j DROP
-A FORWARD -i eth2 -o tun+ -j DROP
COMMIT


-- 
Aaron Clausen
mightymartianca@gmail.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Gateway With Multiple Internal Networks
  2011-10-14  3:06 Gateway With Multiple Internal Networks Aaron Clausen
@ 2011-10-14 16:21 ` fuzzy_4711
  0 siblings, 0 replies; 2+ messages in thread
From: fuzzy_4711 @ 2011-10-14 16:21 UTC (permalink / raw)
  To: Aaron Clausen; +Cc: netfilter



-------- Original - Text --------

> This is driving me crazy, and I cannot seem to get it working
> properly.  I have a gateway with two internal networks served by
> different interfaces:
> 
> eth0 - External interface
> eth1 - Internal network #1
> eth2 - Internal network #2
> tun0 - OpenVPN server interface
> 

Being root@gateway, please provide the output of:
ip route show table all
ip maddress show
ip address show

Could you try to find where the packages are being dropped by using
wireshark, if the error occurs?

Thanks.
-fuz

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-10-14 16:21 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-10-14  3:06 Gateway With Multiple Internal Networks Aaron Clausen
2011-10-14 16:21 ` fuzzy_4711

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox