Need help with IPTables, (double?) NAT, and network bridging

To start, here's some ASCII-Art of my current network setup.

Internet <---> DSL Modem <---> <---> Switch <---> <--- wireless --->
                                                                              |  |
                                                                              |   --- (Me)
                                                                               ------ (Other housemates) is a linux box running iptables and acting as a gateway for the rest of the LAN to have internet access.  This works fine. is a linux box running iptables.  It has a wireless connection to my university. is my computer (Windows XP Pro)

Here's the current situation:

I am a computer science student, so I spend a lot of time SSHing into my university's network to work on projects for various classes.  My DSL connection is not fast enough to provide me with decent latency, so SSH is a pain to use.

Here's what I want: has a wireless card and a high-gain antenna.  It can connect to an access point at my university from my apartment across the street.  I want to somehow configure and so that any requests from (and anyone else on the LAN) for any address in the university's range ( will go over the wireless connection instead of the internet.

Here's where I'm stuck: is set up as a router, and any machine on the network can access the internet through it, since the DHCP server sets the default route on each computer to  If I manually add a route to my machine so that requests for go to instead, everything works fine, but for my machine only.  I don't want to have to do it this way, though, since this would require me to manually set up routes for all my housemates, and besides, it strikes me as a pretty ugly solution.  If I set up a route on the router ( for, then the router can access the university via wireless, but the rest of the network loses access to the university entirely, which strikes my housemates as a bad solution.  I'm sure there's a way to set up iptables to handle this, but I'm not very familiar with it, and the documentation has been somewhat less than helpful.

I'm told that if I put the wireless card in the router instead of a separate machine, the problem becomes much easier.  Unfortunately, this is not an option, as I get no wireless signal at all in the room where the router is located.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I would make a suggestion run all the connections into the linux box set up static routes using the wireless as a gateway to the universitys ip range.

You might need an extra network adapter in the linux box but by using the linux box you will have a fargreater control over the ip. If thats acceptable we can help you work out any settings you will need.

Id also suggest the use of squid it will make your connection much more efficent
While it would be an extra hop, you should be able to add a route on for via That would be in addition to the default route already set on and would be a route to just that network, something like:

route add -net netmask -gw
doctorgodAuthor Commented:

I agree, running all the connections out of one box would greatly simplify things, but as I said in the problem description, it is unfortunately not an option for me.


I've tried that.  If I go to the router and add a route for, the rest of the network loses access to the university.  I think I mentioned that in the problem description.
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Your pretty stuck really because of the ugly nature of your network youll have to add the route to each of the clients.
What does 'netstat -nr' on & show?
doctorgodAuthor Commented:
OK, here's the info for (hostname = Jet)

[root@Jet acrawley]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface UH        0 0          0 ppp0   U         0 0          0 eth1     U         0 0          0 eth0       U         0 0          0 lo         UG        0 0          0 ppp0

And (Hostname = Ed)
Ed root # netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface   U         0 0          0 wlan0     U         0 0          0 eth0       UG        0 0          0 lo         UG        0 0          0 wlan0

This is without any of the routes for my university added.  I've rebooted both boxes recently to get my connection back into working order, so this is how they come up.

Here's the script I use to enable NAT on both boxes:

echo "   Enabling forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -t nat -F

echo "   FWD: Allow all connections OUT and only existing and related ones IN"

echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
doctorgodAuthor Commented:
Oh, and in addition to the last comment:

eth0 is the connection from the router to the dsl modem
ppp0 is the dsl modem
eth1 is the connection from the router to the lan

eth0 is the connection to the lan
wlan0 is the connection to the university

The definitions of INTIF and EXTIF are set differently on .2 and .3, of course.

I think I have got the solution. Although there is a addition of 1 hop it will hardly add 1-2 ms to ping time.

The reason you were loosing connectivity to the university when you added the:


ip route add via
(the same as "route add -net netmask -gw")

was that your iptables script were disallowing packets coming from (eth1 for router) to be forwarded to the machine (again on the on eth1 interface in the router.)

so the solution is to modify the iptables script on the router and add this single line (Remember on the ROUTER):

iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT

and you are done.....(dont forget to add the route in the router**** see above)



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hello doctorgod,

Just wanted to tell you than this is a completely router based solution and your machine ( and any others in the lan) will not have to be touched in any way.


Add the static route in the router.

Add the

iptables -A FORWARD -p all -i eth1 -o eth1 -j ACCEPT

to the appropiate script.

That is all there is to it.


doctorgodAuthor Commented:

That works great!  You get the points, although I'm not assigning them yet because I'm not sure if that closes the question, and I'd like to ask one more question, if you don't mind.

With the addition to my iptables script, all the connections to my university do indeed go over the wireless, but I don't see show up when I do a traceroute.  The traceroute shows instead that the packets are going from my computer to, then to a router in the university, then to the destination.  Why doesn't show up?

I'm not complaining or anything, I just want to come out of this knowing a bit more than I did before.  In any case, the points are yours.  Thanks again!
Hi, great that your problem is solved.....

Strange tho that .3 is not showing up in the traceroute. You can be sure that packets are (obviously) going thru that machine by running a:

tcpdump -i eth0

on the .3 machine (with the assumption that eth0 connect to the LAN.)

also if you could post the actual traceroute then i could ponder.

i setup a similar setup using vmware and 4 virtual machines. i simulated your case and got this output.

traceroute to (, 30 hops max, 38 byte packets
 1 (   2.556 ms    0.739 ms   1.382 ms <==== my gateway.
 2 (   1.084 ms    0.935 ms    0.797 ms <=== this is ur
 3 (    1.493 ms    1.555 ms    1.770 ms <==== the university machine

by any chance, do u hv proxy ARP enabled in ur .3 machine.????


doctorgodAuthor Commented:
Actually, as I went to do a traceroute from my machine, I noticed something else a bit odd.  If I traceroute to one machine at my school, it doesn't go through  The next machine I traceroute to will, though.  After this, the IP of the first machine I tracerouted shows up in my static route configuration.  Doing a traceroute from another Linux box shows the expected results, so I think I'm just going to chalk this one up to Windows XP being weird.

Thanks again for all your help, and thanks for taking the time to explain to me what was going on.  You have no idea how many people told me this couldn't be done!
Welcome. And yeah its just Windows XP being weird....

but what could be a possible reason is that .... some time back while pingin in a similar setup, i had seen the router sending me Redirect so that could be happening..... but those things only show up in linux.

take care,

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.