doctorgod
asked on
Need help with IPTables, (double?) NAT, and network bridging
To start, here's some ASCII-Art of my current network setup.
Internet <---> DSL Modem <---> 192.168.1.2 <---> Switch <---> 192.168.1.3 <--- wireless ---> 136.176.0.0/16
| |
| ---192.168.1.100 (Me)
------192.168.1.1xx (Other housemates)
192.168.1.2 is a linux box running iptables and acting as a gateway for the rest of the LAN to have internet access. This works fine.
192.168.1.3 is a linux box running iptables. It has a wireless connection to my university.
192.168.1.100 is my computer (Windows XP Pro)
Here's the current situation:
I am a computer science student, so I spend a lot of time SSHing into my university's network to work on projects for various classes. My DSL connection is not fast enough to provide me with decent latency, so SSH is a pain to use.
Here's what I want:
192.168.1.3 has a wireless card and a high-gain antenna. It can connect to an access point at my university from my apartment across the street. I want to somehow configure 192.168.1.3 and 192.168.1.2 so that any requests from 192.168.1.100 (and anyone else on the LAN) for any address in the university's range (136.176.0.0/16) will go over the wireless connection instead of the internet.
Here's where I'm stuck:
192.168.1.2 is set up as a router, and any machine on the network can access the internet through it, since the DHCP server sets the default route on each computer to 192.168.1.2. If I manually add a route to my machine so that requests for 136.176.0.0/16 go to 192.168.1.3 instead, everything works fine, but for my machine only. I don't want to have to do it this way, though, since this would require me to manually set up routes for all my housemates, and besides, it strikes me as a pretty ugly solution. If I set up a route on the router (192.168.1.2) for 136.176.0.0/16, then the router can access the university via wireless, but the rest of the network loses access to the university entirely, which strikes my housemates as a bad solution. I'm sure there's a way to set up iptables to handle this, but I'm not very familiar with it, and the documentation has been somewhat less than helpful.
I'm told that if I put the wireless card in the router instead of a separate machine, the problem becomes much easier. Unfortunately, this is not an option, as I get no wireless signal at all in the room where the router is located.
Internet <---> DSL Modem <---> 192.168.1.2 <---> Switch <---> 192.168.1.3 <--- wireless ---> 136.176.0.0/16
| |
| ---192.168.1.100 (Me)
------192.168.1.1xx (Other housemates)
192.168.1.2 is a linux box running iptables and acting as a gateway for the rest of the LAN to have internet access. This works fine.
192.168.1.3 is a linux box running iptables. It has a wireless connection to my university.
192.168.1.100 is my computer (Windows XP Pro)
Here's the current situation:
I am a computer science student, so I spend a lot of time SSHing into my university's network to work on projects for various classes. My DSL connection is not fast enough to provide me with decent latency, so SSH is a pain to use.
Here's what I want:
192.168.1.3 has a wireless card and a high-gain antenna. It can connect to an access point at my university from my apartment across the street. I want to somehow configure 192.168.1.3 and 192.168.1.2 so that any requests from 192.168.1.100 (and anyone else on the LAN) for any address in the university's range (136.176.0.0/16) will go over the wireless connection instead of the internet.
Here's where I'm stuck:
192.168.1.2 is set up as a router, and any machine on the network can access the internet through it, since the DHCP server sets the default route on each computer to 192.168.1.2. If I manually add a route to my machine so that requests for 136.176.0.0/16 go to 192.168.1.3 instead, everything works fine, but for my machine only. I don't want to have to do it this way, though, since this would require me to manually set up routes for all my housemates, and besides, it strikes me as a pretty ugly solution. If I set up a route on the router (192.168.1.2) for 136.176.0.0/16, then the router can access the university via wireless, but the rest of the network loses access to the university entirely, which strikes my housemates as a bad solution. I'm sure there's a way to set up iptables to handle this, but I'm not very familiar with it, and the documentation has been somewhat less than helpful.
I'm told that if I put the wireless card in the router instead of a separate machine, the problem becomes much easier. Unfortunately, this is not an option, as I get no wireless signal at all in the room where the router is located.
While it would be an extra hop, you should be able to add a route on 192.168.1.2 for 136.176.0.0/16 via 192.168.1.3. That would be in addition to the default route already set on 192.168.1.2 and would be a route to just that network, something like:
route add -net 137.176.0.0 netmask 255.255.0.0 -gw 192.168.1.3
route add -net 137.176.0.0 netmask 255.255.0.0 -gw 192.168.1.3
ASKER
paranoidcookie:
I agree, running all the connections out of one box would greatly simplify things, but as I said in the problem description, it is unfortunately not an option for me.
jlevie:
I've tried that. If I go to the router and add a route for 136.176.0.0/16, the rest of the network loses access to the university. I think I mentioned that in the problem description.
I agree, running all the connections out of one box would greatly simplify things, but as I said in the problem description, it is unfortunately not an option for me.
jlevie:
I've tried that. If I go to the router and add a route for 136.176.0.0/16, the rest of the network loses access to the university. I think I mentioned that in the problem description.
Your pretty stuck really because of the ugly nature of your network youll have to add the route to each of the clients.
What does 'netstat -nr' on 192.168.1.2 & 192.168.1.3 show?
ASKER
OK, here's the info for 192.168.1.2 (hostname = Jet)
[root@Jet acrawley]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
68.254.111.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 68.254.111.254 0.0.0.0 UG 0 0 0 ppp0
And 192.168.1.3 (Hostname = Ed)
Ed root # netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
136.176.48.0 0.0.0.0 255.255.248.0 U 0 0 0 wlan0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 136.176.48.1 0.0.0.0 UG 0 0 0 wlan0
This is without any of the routes for my university added. I've rebooted both boxes recently to get my connection back into working order, so this is how they come up.
Here's the script I use to enable NAT on both boxes:
echo " Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forw
IPTABLES="/sbin/iptables"
INTIF="eth0"
EXTIF="wlan0"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
[root@Jet acrawley]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
68.254.111.254 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 68.254.111.254 0.0.0.0 UG 0 0 0 ppp0
And 192.168.1.3 (Hostname = Ed)
Ed root # netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
136.176.48.0 0.0.0.0 255.255.248.0 U 0 0 0 wlan0
192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 127.0.0.1 255.0.0.0 UG 0 0 0 lo
0.0.0.0 136.176.48.1 0.0.0.0 UG 0 0 0 wlan0
This is without any of the routes for my university added. I've rebooted both boxes recently to get my connection back into working order, so this is how they come up.
Here's the script I use to enable NAT on both boxes:
echo " Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forw
IPTABLES="/sbin/iptables"
INTIF="eth0"
EXTIF="wlan0"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
ASKER
Oh, and in addition to the last comment:
On 192.168.1.2:
eth0 is the connection from the router to the dsl modem
ppp0 is the dsl modem
eth1 is the connection from the router to the lan
On 192.168.1.3:
eth0 is the connection to the lan
wlan0 is the connection to the university
The definitions of INTIF and EXTIF are set differently on .2 and .3, of course.
On 192.168.1.2:
eth0 is the connection from the router to the dsl modem
ppp0 is the dsl modem
eth1 is the connection from the router to the lan
On 192.168.1.3:
eth0 is the connection to the lan
wlan0 is the connection to the university
The definitions of INTIF and EXTIF are set differently on .2 and .3, of course.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello doctorgod,
Just wanted to tell you than this is a completely router based solution and your machine (192.168.1.100 and any others in the lan) will not have to be touched in any way.
Simply:
Add the static route in the router.
Add the
iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT
to the appropiate script.
That is all there is to it.
Cheers,
Karan
Just wanted to tell you than this is a completely router based solution and your machine (192.168.1.100 and any others in the lan) will not have to be touched in any way.
Simply:
Add the static route in the router.
Add the
iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT
to the appropiate script.
That is all there is to it.
Cheers,
Karan
ASKER
Kidoman:
That works great! You get the points, although I'm not assigning them yet because I'm not sure if that closes the question, and I'd like to ask one more question, if you don't mind.
With the addition to my iptables script, all the connections to my university do indeed go over the wireless, but I don't see 192.168.1.3 show up when I do a traceroute. The traceroute shows instead that the packets are going from my computer to 192.168.1.2, then to a router in the university, then to the destination. Why doesn't 192.168.1.3 show up?
I'm not complaining or anything, I just want to come out of this knowing a bit more than I did before. In any case, the points are yours. Thanks again!
That works great! You get the points, although I'm not assigning them yet because I'm not sure if that closes the question, and I'd like to ask one more question, if you don't mind.
With the addition to my iptables script, all the connections to my university do indeed go over the wireless, but I don't see 192.168.1.3 show up when I do a traceroute. The traceroute shows instead that the packets are going from my computer to 192.168.1.2, then to a router in the university, then to the destination. Why doesn't 192.168.1.3 show up?
I'm not complaining or anything, I just want to come out of this knowing a bit more than I did before. In any case, the points are yours. Thanks again!
Hi, great that your problem is solved.....
Strange tho that .3 is not showing up in the traceroute. You can be sure that packets are (obviously) going thru that machine by running a:
tcpdump -i eth0
on the .3 machine (with the assumption that eth0 connect to the LAN.)
also if you could post the actual traceroute then i could ponder.
i setup a similar setup using vmware and 4 virtual machines. i simulated your case and got this output.
traceroute to 10.200.1.11 (10.200.1.11), 30 hops max, 38 byte packets
1 10.201.0.2 (10.201.0.2) 2.556 ms 0.739 ms 1.382 ms <==== my gateway.
2 10.201.0.200 (10.201.0.200) 1.084 ms 0.935 ms 0.797 ms <=== this is ur 192.168.1.3
3 10.200.1.11 (10.200.1.11) 1.493 ms 1.555 ms 1.770 ms <==== the university machine
by any chance, do u hv proxy ARP enabled in ur .3 machine.????
cheers,
karan
Strange tho that .3 is not showing up in the traceroute. You can be sure that packets are (obviously) going thru that machine by running a:
tcpdump -i eth0
on the .3 machine (with the assumption that eth0 connect to the LAN.)
also if you could post the actual traceroute then i could ponder.
i setup a similar setup using vmware and 4 virtual machines. i simulated your case and got this output.
traceroute to 10.200.1.11 (10.200.1.11), 30 hops max, 38 byte packets
1 10.201.0.2 (10.201.0.2) 2.556 ms 0.739 ms 1.382 ms <==== my gateway.
2 10.201.0.200 (10.201.0.200) 1.084 ms 0.935 ms 0.797 ms <=== this is ur 192.168.1.3
3 10.200.1.11 (10.200.1.11) 1.493 ms 1.555 ms 1.770 ms <==== the university machine
by any chance, do u hv proxy ARP enabled in ur .3 machine.????
cheers,
karan
ASKER
Actually, as I went to do a traceroute from my machine, I noticed something else a bit odd. If I traceroute to one machine at my school, it doesn't go through 192.168.1.2. The next machine I traceroute to will, though. After this, the IP of the first machine I tracerouted shows up in my static route configuration. Doing a traceroute from another Linux box shows the expected results, so I think I'm just going to chalk this one up to Windows XP being weird.
Thanks again for all your help, and thanks for taking the time to explain to me what was going on. You have no idea how many people told me this couldn't be done!
Thanks again for all your help, and thanks for taking the time to explain to me what was going on. You have no idea how many people told me this couldn't be done!
Welcome. And yeah its just Windows XP being weird....
but what could be a possible reason is that .... some time back while pingin in a similar setup, i had seen the router sending me Redirect so that could be happening..... but those things only show up in linux.
take care,
karan
but what could be a possible reason is that .... some time back while pingin in a similar setup, i had seen the router sending me Redirect so that could be happening..... but those things only show up in linux.
take care,
karan
You might need an extra network adapter in the linux box but by using the linux box you will have a fargreater control over the ip. If thats acceptable we can help you work out any settings you will need.
Id also suggest the use of squid it will make your connection much more efficent