[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Need help with IPTables, (double?) NAT, and network bridging

Posted on 2004-10-25
Medium Priority
Last Modified: 2008-03-17
To start, here's some ASCII-Art of my current network setup.

Internet <---> DSL Modem <---> <---> Switch <---> <--- wireless --->
                                                                              |  |
                                                                              |   --- (Me)
                                                                               ------ (Other housemates) is a linux box running iptables and acting as a gateway for the rest of the LAN to have internet access.  This works fine. is a linux box running iptables.  It has a wireless connection to my university. is my computer (Windows XP Pro)

Here's the current situation:

I am a computer science student, so I spend a lot of time SSHing into my university's network to work on projects for various classes.  My DSL connection is not fast enough to provide me with decent latency, so SSH is a pain to use.

Here's what I want: has a wireless card and a high-gain antenna.  It can connect to an access point at my university from my apartment across the street.  I want to somehow configure and so that any requests from (and anyone else on the LAN) for any address in the university's range ( will go over the wireless connection instead of the internet.

Here's where I'm stuck: is set up as a router, and any machine on the network can access the internet through it, since the DHCP server sets the default route on each computer to  If I manually add a route to my machine so that requests for go to instead, everything works fine, but for my machine only.  I don't want to have to do it this way, though, since this would require me to manually set up routes for all my housemates, and besides, it strikes me as a pretty ugly solution.  If I set up a route on the router ( for, then the router can access the university via wireless, but the rest of the network loses access to the university entirely, which strikes my housemates as a bad solution.  I'm sure there's a way to set up iptables to handle this, but I'm not very familiar with it, and the documentation has been somewhat less than helpful.

I'm told that if I put the wireless card in the router instead of a separate machine, the problem becomes much easier.  Unfortunately, this is not an option, as I get no wireless signal at all in the room where the router is located.
Question by:doctorgod
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1

Expert Comment

ID: 12410245
I would make a suggestion run all the connections into the linux box set up static routes using the wireless as a gateway to the universitys ip range.

You might need an extra network adapter in the linux box but by using the linux box you will have a fargreater control over the ip. If thats acceptable we can help you work out any settings you will need.

Id also suggest the use of squid it will make your connection much more efficent
LVL 40

Expert Comment

ID: 12410311
While it would be an extra hop, you should be able to add a route on for via That would be in addition to the default route already set on and would be a route to just that network, something like:

route add -net netmask -gw

Author Comment

ID: 12410857

I agree, running all the connections out of one box would greatly simplify things, but as I said in the problem description, it is unfortunately not an option for me.


I've tried that.  If I go to the router and add a route for, the rest of the network loses access to the university.  I think I mentioned that in the problem description.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Expert Comment

ID: 12411168
Your pretty stuck really because of the ugly nature of your network youll have to add the route to each of the clients.
LVL 40

Expert Comment

ID: 12416963
What does 'netstat -nr' on & show?

Author Comment

ID: 12418464
OK, here's the info for (hostname = Jet)

[root@Jet acrawley]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface UH        0 0          0 ppp0   U         0 0          0 eth1     U         0 0          0 eth0       U         0 0          0 lo         UG        0 0          0 ppp0

And (Hostname = Ed)
Ed root # netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface   U         0 0          0 wlan0     U         0 0          0 eth0       UG        0 0          0 lo         UG        0 0          0 wlan0

This is without any of the routes for my university added.  I've rebooted both boxes recently to get my connection back into working order, so this is how they come up.

Here's the script I use to enable NAT on both boxes:

echo "   Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"

Author Comment

ID: 12418501
Oh, and in addition to the last comment:

eth0 is the connection from the router to the dsl modem
ppp0 is the dsl modem
eth1 is the connection from the router to the lan

eth0 is the connection to the lan
wlan0 is the connection to the university

The definitions of INTIF and EXTIF are set differently on .2 and .3, of course.

Accepted Solution

kidoman earned 1340 total points
ID: 12427834

I think I have got the solution. Although there is a addition of 1 hop it will hardly add 1-2 ms to ping time.

The reason you were loosing connectivity to the university when you added the:


ip route add via
(the same as "route add -net netmask -gw")

was that your iptables script were disallowing packets coming from (eth1 for router) to be forwarded to the machine (again on the on eth1 interface in the router.)

so the solution is to modify the iptables script on the router and add this single line (Remember on the ROUTER):

iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT

and you are done.....(dont forget to add the route in the router**** see above)



Expert Comment

ID: 12427951
Hello doctorgod,

Just wanted to tell you than this is a completely router based solution and your machine ( and any others in the lan) will not have to be touched in any way.


Add the static route in the router.

Add the

iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT

to the appropiate script.

That is all there is to it.



Author Comment

ID: 12428610

That works great!  You get the points, although I'm not assigning them yet because I'm not sure if that closes the question, and I'd like to ask one more question, if you don't mind.

With the addition to my iptables script, all the connections to my university do indeed go over the wireless, but I don't see show up when I do a traceroute.  The traceroute shows instead that the packets are going from my computer to, then to a router in the university, then to the destination.  Why doesn't show up?

I'm not complaining or anything, I just want to come out of this knowing a bit more than I did before.  In any case, the points are yours.  Thanks again!

Expert Comment

ID: 12429348
Hi, great that your problem is solved.....

Strange tho that .3 is not showing up in the traceroute. You can be sure that packets are (obviously) going thru that machine by running a:

tcpdump -i eth0

on the .3 machine (with the assumption that eth0 connect to the LAN.)

also if you could post the actual traceroute then i could ponder.

i setup a similar setup using vmware and 4 virtual machines. i simulated your case and got this output.

traceroute to (, 30 hops max, 38 byte packets
 1 (   2.556 ms    0.739 ms   1.382 ms <==== my gateway.
 2 (   1.084 ms    0.935 ms    0.797 ms <=== this is ur
 3 (    1.493 ms    1.555 ms    1.770 ms <==== the university machine

by any chance, do u hv proxy ARP enabled in ur .3 machine.????



Author Comment

ID: 12429791
Actually, as I went to do a traceroute from my machine, I noticed something else a bit odd.  If I traceroute to one machine at my school, it doesn't go through  The next machine I traceroute to will, though.  After this, the IP of the first machine I tracerouted shows up in my static route configuration.  Doing a traceroute from another Linux box shows the expected results, so I think I'm just going to chalk this one up to Windows XP being weird.

Thanks again for all your help, and thanks for taking the time to explain to me what was going on.  You have no idea how many people told me this couldn't be done!

Expert Comment

ID: 12431097
Welcome. And yeah its just Windows XP being weird....

but what could be a possible reason is that .... some time back while pingin in a similar setup, i had seen the router sending me Redirect so that could be happening..... but those things only show up in linux.

take care,


Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question