Solved

Need help with IPTables, (double?) NAT, and network bridging

Posted on 2004-10-25
949 Views
Last Modified: 2008-03-17
To start, here's some ASCII-Art of my current network setup.

Internet <---> DSL Modem <---> 192.168.1.2 <---> Switch <---> 192.168.1.3 <--- wireless ---> 136.176.0.0/16
                                                                              |  |
                                                                              |   ---192.168.1.100 (Me)
                                                                               ------192.168.1.1xx (Other housemates)

192.168.1.2 is a linux box running iptables and acting as a gateway for the rest of the LAN to have internet access.  This works fine.
192.168.1.3 is a linux box running iptables.  It has a wireless connection to my university.
192.168.1.100 is my computer (Windows XP Pro)

Here's the current situation:

I am a computer science student, so I spend a lot of time SSHing into my university's network to work on projects for various classes.  My DSL connection is not fast enough to provide me with decent latency, so SSH is a pain to use.

Here's what I want:

192.168.1.3 has a wireless card and a high-gain antenna.  It can connect to an access point at my university from my apartment across the street.  I want to somehow configure 192.168.1.3 and 192.168.1.2 so that any requests from 192.168.1.100 (and anyone else on the LAN) for any address in the university's range (136.176.0.0/16) will go over the wireless connection instead of the internet.

Here's where I'm stuck:

192.168.1.2 is set up as a router, and any machine on the network can access the internet through it, since the DHCP server sets the default route on each computer to 192.168.1.2.  If I manually add a route to my machine so that requests for 136.176.0.0/16 go to 192.168.1.3 instead, everything works fine, but for my machine only.  I don't want to have to do it this way, though, since this would require me to manually set up routes for all my housemates, and besides, it strikes me as a pretty ugly solution.  If I set up a route on the router (192.168.1.2) for 136.176.0.0/16, then the router can access the university via wireless, but the rest of the network loses access to the university entirely, which strikes my housemates as a bad solution.  I'm sure there's a way to set up iptables to handle this, but I'm not very familiar with it, and the documentation has been somewhat less than helpful.

I'm told that if I put the wireless card in the router instead of a separate machine, the problem becomes much easier.  Unfortunately, this is not an option, as I get no wireless signal at all in the room where the router is located.
0
Question by:doctorgod
    13 Comments
     
    LVL 5

    Expert Comment

    by:paranoidcookie
    I would make a suggestion run all the connections into the linux box set up static routes using the wireless as a gateway to the universitys ip range.

    You might need an extra network adapter in the linux box but by using the linux box you will have a fargreater control over the ip. If thats acceptable we can help you work out any settings you will need.

    Id also suggest the use of squid it will make your connection much more efficent
    0
     
    LVL 40

    Expert Comment

    by:jlevie
    While it would be an extra hop, you should be able to add a route on 192.168.1.2 for 136.176.0.0/16 via 192.168.1.3. That would be in addition to the default route already set on 192.168.1.2 and would be a route to just that network, something like:

    route add -net 137.176.0.0 netmask 255.255.0.0 -gw 192.168.1.3
    0
     

    Author Comment

    by:doctorgod
    paranoidcookie:

    I agree, running all the connections out of one box would greatly simplify things, but as I said in the problem description, it is unfortunately not an option for me.

    jlevie:

    I've tried that.  If I go to the router and add a route for 136.176.0.0/16, the rest of the network loses access to the university.  I think I mentioned that in the problem description.
    0
     
    LVL 5

    Expert Comment

    by:paranoidcookie
    Your pretty stuck really because of the ugly nature of your network youll have to add the route to each of the clients.
    0
     
    LVL 40

    Expert Comment

    by:jlevie
    What does 'netstat -nr' on 192.168.1.2 & 192.168.1.3 show?
    0
     

    Author Comment

    by:doctorgod
    OK, here's the info for 192.168.1.2 (hostname = Jet)

    [root@Jet acrawley]# netstat -nr
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    68.254.111.254  0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
    192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
    169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
    127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
    0.0.0.0         68.254.111.254  0.0.0.0         UG        0 0          0 ppp0


    And 192.168.1.3 (Hostname = Ed)
    Ed root # netstat -nr
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    136.176.48.0    0.0.0.0         255.255.248.0   U         0 0          0 wlan0
    192.168.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
    127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo
    0.0.0.0         136.176.48.1    0.0.0.0         UG        0 0          0 wlan0

    This is without any of the routes for my university added.  I've rebooted both boxes recently to get my connection back into working order, so this is how they come up.

    Here's the script I use to enable NAT on both boxes:

    echo "   Enabling forwarding..."
    echo "1" > /proc/sys/net/ipv4/ip_forward
    IPTABLES="/sbin/iptables"
    INTIF="eth0"
    EXTIF="wlan0"

    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -t nat -F

    echo "   FWD: Allow all connections OUT and only existing and related ones IN"
    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    #$IPTABLES -A FORWARD -j LOG

    echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
    0
     

    Author Comment

    by:doctorgod
    Oh, and in addition to the last comment:

    On 192.168.1.2:
    eth0 is the connection from the router to the dsl modem
    ppp0 is the dsl modem
    eth1 is the connection from the router to the lan

    On 192.168.1.3:
    eth0 is the connection to the lan
    wlan0 is the connection to the university

    The definitions of INTIF and EXTIF are set differently on .2 and .3, of course.
    0
     
    LVL 2

    Accepted Solution

    by:
    Hi,

    I think I have got the solution. Although there is a addition of 1 hop it will hardly add 1-2 ms to ping time.

    The reason you were loosing connectivity to the university when you added the:

    ****

    ip route add 137.176.0.0/16 via 192.168.1.3
    (the same as "route add -net 137.176.0.0 netmask 255.255.0.0 -gw 192.168.1.3")

    was that your iptables script were disallowing packets coming from 192.168.1.1xx (eth1 for router) to be forwarded to the 192.168.1.3 machine (again on the on eth1 interface in the router.)

    so the solution is to modify the iptables script on the router and add this single line (Remember on the ROUTER):

    iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT

    and you are done.....(dont forget to add the route in the router**** see above)

    Cheers,

    Karan
    0
     
    LVL 2

    Expert Comment

    by:kidoman
    Hello doctorgod,

    Just wanted to tell you than this is a completely router based solution and your machine (192.168.1.100 and any others in the lan) will not have to be touched in any way.

    Simply:

    Add the static route in the router.

    Add the

    iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT

    to the appropiate script.

    That is all there is to it.

    Cheers,

    Karan
    0
     

    Author Comment

    by:doctorgod
    Kidoman:

    That works great!  You get the points, although I'm not assigning them yet because I'm not sure if that closes the question, and I'd like to ask one more question, if you don't mind.

    With the addition to my iptables script, all the connections to my university do indeed go over the wireless, but I don't see 192.168.1.3 show up when I do a traceroute.  The traceroute shows instead that the packets are going from my computer to 192.168.1.2, then to a router in the university, then to the destination.  Why doesn't 192.168.1.3 show up?

    I'm not complaining or anything, I just want to come out of this knowing a bit more than I did before.  In any case, the points are yours.  Thanks again!
    0
     
    LVL 2

    Expert Comment

    by:kidoman
    Hi, great that your problem is solved.....

    Strange tho that .3 is not showing up in the traceroute. You can be sure that packets are (obviously) going thru that machine by running a:

    tcpdump -i eth0

    on the .3 machine (with the assumption that eth0 connect to the LAN.)

    also if you could post the actual traceroute then i could ponder.

    i setup a similar setup using vmware and 4 virtual machines. i simulated your case and got this output.

    traceroute to 10.200.1.11 (10.200.1.11), 30 hops max, 38 byte packets
     1   10.201.0.2 (10.201.0.2)   2.556 ms    0.739 ms   1.382 ms <==== my gateway.
     2   10.201.0.200 (10.201.0.200)   1.084 ms    0.935 ms    0.797 ms <=== this is ur 192.168.1.3
     3   10.200.1.11 (10.200.1.11)    1.493 ms    1.555 ms    1.770 ms <==== the university machine

    by any chance, do u hv proxy ARP enabled in ur .3 machine.????

    cheers,

    karan
    0
     

    Author Comment

    by:doctorgod
    Actually, as I went to do a traceroute from my machine, I noticed something else a bit odd.  If I traceroute to one machine at my school, it doesn't go through 192.168.1.2.  The next machine I traceroute to will, though.  After this, the IP of the first machine I tracerouted shows up in my static route configuration.  Doing a traceroute from another Linux box shows the expected results, so I think I'm just going to chalk this one up to Windows XP being weird.

    Thanks again for all your help, and thanks for taking the time to explain to me what was going on.  You have no idea how many people told me this couldn't be done!
    0
     
    LVL 2

    Expert Comment

    by:kidoman
    Welcome. And yeah its just Windows XP being weird....

    but what could be a possible reason is that .... some time back while pingin in a similar setup, i had seen the router sending me Redirect so that could be happening..... but those things only show up in linux.

    take care,

    karan
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

     Java Android Coding Bundle

    Whether you're an Apple user or Android addict, learning to code for the Android platform is an extremely valuable, in-demand skill. It all starts with Java, the language behind the apps and games that make Android the top platform it is today.

    Suggested Solutions

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    913 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now