using iptables to route between subnets

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am trying to route packets between two internal/private subnets 10.1.1.0/24 and 10.1.2.0/24 .  The second subnet happens to be wireless.
I've read until my eyes bled and have been at this for several days.  I've tried a variety of different ways based on other's similar posted attempts, and at this point things are a mess as you will see below.  In addition to simple routing, I need to get my wireless printer working too, which is essentially the real reason I'm doing this, and I'm hoping that issue will be resolved by this as well.
This is a diagram of my network: https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b074b35ff4d/0?shared=true 

These are the relevant rules:

iptables-save -c | grep RULE
[1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN address" -j DNAT --to-destination 10.1.1.1 [1:328] -A PREROUTING -d 10.1.2.0/24 -m comment --comment "RULE 1A; if source WLAN rewrite as LAN address" -j NETMAP --to 10.1.1.0/24 [26:3083] -A POSTROUTING -s 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 2; after routing rewrite to WAN address iff src LAN or WLAN, out WAN" -j MASQUERADE [183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out wireless, iff established." -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24 -i wlp2s0 -o enp4s5 -m comment --comment "RULE 4; in wireless out LAN; iff dst LAN" -j ACCEPT [324:69828] -A FORWARD -s 10.1.0.0/16 ! -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5; src LAN or WLAN, dst not LAN nor WLAN, out WAN" -j ACCEPT [0:0] -A FORWARD -s 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5w; src WLAN out WAN, iff dst not WLAN nor LAN" -j ACCEPT [0:0] -A FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment --comment "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT [1:76] -A FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN out LAN, iff established and dst LAN" -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24 -i enp6s0 -p tcp -m multiport --dports 80,443 -m comment --comment "RULE 7 supplies a target for RULE 1" -j ACCEPT 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some of them are obviously not getting hit, I don't know why. I'm not really sure which I need, at this point I've grown dizzy from looking at them.
Here are the full set of rules if you'd like to see, though the above I think might suffice: http://fnpaste.com/qprP 

Thank you in advance for your help!




--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux