Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 972
  • Last Modified:

Need help with IPTables, (double?) NAT, and network bridging

To start, here's some ASCII-Art of my current network setup.

Internet <---> DSL Modem <---> 192.168.1.2 <---> Switch <---> 192.168.1.3 <--- wireless ---> 136.176.0.0/16
                                                                              |  |
                                                                              |   ---192.168.1.100 (Me)
                                                                               ------192.168.1.1xx (Other housemates)

192.168.1.2 is a linux box running iptables and acting as a gateway for the rest of the LAN to have internet access.  This works fine.
192.168.1.3 is a linux box running iptables.  It has a wireless connection to my university.
192.168.1.100 is my computer (Windows XP Pro)

Here's the current situation:

I am a computer science student, so I spend a lot of time SSHing into my university's network to work on projects for various classes.  My DSL connection is not fast enough to provide me with decent latency, so SSH is a pain to use.

Here's what I want:

192.168.1.3 has a wireless card and a high-gain antenna.  It can connect to an access point at my university from my apartment across the street.  I want to somehow configure 192.168.1.3 and 192.168.1.2 so that any requests from 192.168.1.100 (and anyone else on the LAN) for any address in the university's range (136.176.0.0/16) will go over the wireless connection instead of the internet.

Here's where I'm stuck:

192.168.1.2 is set up as a router, and any machine on the network can access the internet through it, since the DHCP server sets the default route on each computer to 192.168.1.2.  If I manually add a route to my machine so that requests for 136.176.0.0/16 go to 192.168.1.3 instead, everything works fine, but for my machine only.  I don't want to have to do it this way, though, since this would require me to manually set up routes for all my housemates, and besides, it strikes me as a pretty ugly solution.  If I set up a route on the router (192.168.1.2) for 136.176.0.0/16, then the router can access the university via wireless, but the rest of the network loses access to the university entirely, which strikes my housemates as a bad solution.  I'm sure there's a way to set up iptables to handle this, but I'm not very familiar with it, and the documentation has been somewhat less than helpful.

I'm told that if I put the wireless card in the router instead of a separate machine, the problem becomes much easier.  Unfortunately, this is not an option, as I get no wireless signal at all in the room where the router is located.
0
doctorgod
Asked:
doctorgod
  • 5
  • 4
  • 2
  • +1
1 Solution
 
paranoidcookieCommented:
I would make a suggestion run all the connections into the linux box set up static routes using the wireless as a gateway to the universitys ip range.

You might need an extra network adapter in the linux box but by using the linux box you will have a fargreater control over the ip. If thats acceptable we can help you work out any settings you will need.

Id also suggest the use of squid it will make your connection much more efficent
0
 
jlevieCommented:
While it would be an extra hop, you should be able to add a route on 192.168.1.2 for 136.176.0.0/16 via 192.168.1.3. That would be in addition to the default route already set on 192.168.1.2 and would be a route to just that network, something like:

route add -net 137.176.0.0 netmask 255.255.0.0 -gw 192.168.1.3
0
 
doctorgodAuthor Commented:
paranoidcookie:

I agree, running all the connections out of one box would greatly simplify things, but as I said in the problem description, it is unfortunately not an option for me.

jlevie:

I've tried that.  If I go to the router and add a route for 136.176.0.0/16, the rest of the network loses access to the university.  I think I mentioned that in the problem description.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
paranoidcookieCommented:
Your pretty stuck really because of the ugly nature of your network youll have to add the route to each of the clients.
0
 
jlevieCommented:
What does 'netstat -nr' on 192.168.1.2 & 192.168.1.3 show?
0
 
doctorgodAuthor Commented:
OK, here's the info for 192.168.1.2 (hostname = Jet)

[root@Jet acrawley]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
68.254.111.254  0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
0.0.0.0         68.254.111.254  0.0.0.0         UG        0 0          0 ppp0


And 192.168.1.3 (Hostname = Ed)
Ed root # netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
136.176.48.0    0.0.0.0         255.255.248.0   U         0 0          0 wlan0
192.168.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo
0.0.0.0         136.176.48.1    0.0.0.0         UG        0 0          0 wlan0

This is without any of the routes for my university added.  I've rebooted both boxes recently to get my connection back into working order, so this is how they come up.

Here's the script I use to enable NAT on both boxes:

echo "   Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
IPTABLES="/sbin/iptables"
INTIF="eth0"
EXTIF="wlan0"

$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
#$IPTABLES -A FORWARD -j LOG

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
0
 
doctorgodAuthor Commented:
Oh, and in addition to the last comment:

On 192.168.1.2:
eth0 is the connection from the router to the dsl modem
ppp0 is the dsl modem
eth1 is the connection from the router to the lan

On 192.168.1.3:
eth0 is the connection to the lan
wlan0 is the connection to the university

The definitions of INTIF and EXTIF are set differently on .2 and .3, of course.
0
 
kidomanCommented:
Hi,

I think I have got the solution. Although there is a addition of 1 hop it will hardly add 1-2 ms to ping time.

The reason you were loosing connectivity to the university when you added the:

****

ip route add 137.176.0.0/16 via 192.168.1.3
(the same as "route add -net 137.176.0.0 netmask 255.255.0.0 -gw 192.168.1.3")

was that your iptables script were disallowing packets coming from 192.168.1.1xx (eth1 for router) to be forwarded to the 192.168.1.3 machine (again on the on eth1 interface in the router.)

so the solution is to modify the iptables script on the router and add this single line (Remember on the ROUTER):

iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT

and you are done.....(dont forget to add the route in the router**** see above)

Cheers,

Karan
0
 
kidomanCommented:
Hello doctorgod,

Just wanted to tell you than this is a completely router based solution and your machine (192.168.1.100 and any others in the lan) will not have to be touched in any way.

Simply:

Add the static route in the router.

Add the

iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT

to the appropiate script.

That is all there is to it.

Cheers,

Karan
0
 
doctorgodAuthor Commented:
Kidoman:

That works great!  You get the points, although I'm not assigning them yet because I'm not sure if that closes the question, and I'd like to ask one more question, if you don't mind.

With the addition to my iptables script, all the connections to my university do indeed go over the wireless, but I don't see 192.168.1.3 show up when I do a traceroute.  The traceroute shows instead that the packets are going from my computer to 192.168.1.2, then to a router in the university, then to the destination.  Why doesn't 192.168.1.3 show up?

I'm not complaining or anything, I just want to come out of this knowing a bit more than I did before.  In any case, the points are yours.  Thanks again!
0
 
kidomanCommented:
Hi, great that your problem is solved.....

Strange tho that .3 is not showing up in the traceroute. You can be sure that packets are (obviously) going thru that machine by running a:

tcpdump -i eth0

on the .3 machine (with the assumption that eth0 connect to the LAN.)

also if you could post the actual traceroute then i could ponder.

i setup a similar setup using vmware and 4 virtual machines. i simulated your case and got this output.

traceroute to 10.200.1.11 (10.200.1.11), 30 hops max, 38 byte packets
 1   10.201.0.2 (10.201.0.2)   2.556 ms    0.739 ms   1.382 ms <==== my gateway.
 2   10.201.0.200 (10.201.0.200)   1.084 ms    0.935 ms    0.797 ms <=== this is ur 192.168.1.3
 3   10.200.1.11 (10.200.1.11)    1.493 ms    1.555 ms    1.770 ms <==== the university machine

by any chance, do u hv proxy ARP enabled in ur .3 machine.????

cheers,

karan
0
 
doctorgodAuthor Commented:
Actually, as I went to do a traceroute from my machine, I noticed something else a bit odd.  If I traceroute to one machine at my school, it doesn't go through 192.168.1.2.  The next machine I traceroute to will, though.  After this, the IP of the first machine I tracerouted shows up in my static route configuration.  Doing a traceroute from another Linux box shows the expected results, so I think I'm just going to chalk this one up to Windows XP being weird.

Thanks again for all your help, and thanks for taking the time to explain to me what was going on.  You have no idea how many people told me this couldn't be done!
0
 
kidomanCommented:
Welcome. And yeah its just Windows XP being weird....

but what could be a possible reason is that .... some time back while pingin in a similar setup, i had seen the router sending me Redirect so that could be happening..... but those things only show up in linux.

take care,

karan
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 5
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now