SV: using iptables to route between subnets

André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> · Fri, 16 Feb 2018 09:08:42 +0000

Just one question , have you set the "net.ipv4.ip_forward" to 1 ( check with command ) :

"sudo sysctl net.ipv4.ip_forward"

Best regards
André Paulsberg-Csibi
Senior Network Engineer 
IBM Services AS

-----Opprinnelig melding-----
Fra: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] På vegne av A
Sendt: fredag 16. februar 2018 06.53
Til: netfilter@xxxxxxxxxxxxxxx
Emne: Re: using iptables to route between subnets

On 02/15/2018 08:15 PM, zrm wrote:
> On 02/15/2018 09:25 PM, A wrote:
>> I am trying to route packets between two internal/private subnets
>> 10.1.1.0/24 and 10.1.2.0/24 .  The second subnet happens to be wireless.
>>
>> I've read until my eyes bled and have been at this for several days. 
>> I've tried a variety of different ways based on other's similar 
>> posted attempts, and at this point things are a mess as you will see 
>> below.  In addition to simple routing, I need to get my wireless 
>> printer working too, which is essentially the real reason I'm doing 
>> this, and I'm hoping that issue will be resolved by this as well.
>>
>>
>> This is a diagram of my network: 
>> https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b0
>> 74b35ff4d/0?shared=true
>>
>>
>> These are the relevant rules:
>>
>> iptables-save -c | grep RULE
>>
>>
>> [1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m 
>> comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN 
>> address" -j DNAT --to-destination 10.1.1.1 [1:328] -A PREROUTING -d 
>> 10.1.2.0/24 -m comment --comment "RULE 1A; if source WLAN rewrite as 
>> LAN address" -j NETMAP --to 10.1.1.0/24 [26:3083] -A POSTROUTING -s 
>> 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 2; after routing 
>> rewrite to WAN address iff src LAN or WLAN, out WAN" -j MASQUERADE 
>> [183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate 
>> RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out 
>> wireless, iff established." -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24 
>> -i wlp2s0 -o enp4s5 -m comment --comment "RULE 4; in wireless out 
>> LAN; iff dst LAN" -j ACCEPT [324:69828] -A FORWARD -s 10.1.0.0/16 ! 
>> -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5; src LAN or 
>> WLAN, dst not LAN nor WLAN, out WAN" -j ACCEPT [0:0] -A FORWARD -s 
>> 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5w; 
>> src WLAN out WAN, iff dst not WLAN nor LAN" -j ACCEPT [0:0] -A 
>> FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment --comment 
>> "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT [1:76] -A 
>> FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack --ctstate 
>> RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN out LAN, iff 
>> established and dst LAN" -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24 -i 
>> enp6s0 -p tcp -m multiport --dports 80,443 -m comment --comment "RULE 
>> 7 supplies a target for RULE 1" -j ACCEPT
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Some of them are obviously not getting hit, I don't know why. I'm not 
>> really sure which I need, at this point I've grown dizzy from looking 
>> at them.
>>
>>
>> Here are the full set of rules if you'd like to see, though the above 
>> I think might suffice: http://fnpaste.com/qprP
>>
>> Thank you in advance for your help!
>
> That is more complicated than it needs to be. Also, you have a NETMAP 
> rule in there which is probably causing problems.
>
> Try getting rid of that and replacing all the FORWARD rules with this:
>
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A 
> FORWARD -i enp4s5 -s 10.1.1.0/24 -j ACCEPT -A FORWARD -i wlp2s0 -s 
> 10.1.2.0/24 -j ACCEPT -A FORWARD -j REJECT
>
>
Thank you for responding!  I have done as you suggested.  Is this closer  http://fnpaste.com/goQN to what you were suggesting?  It's still not working.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n����z��׫�)��jg��������ݢj����G�������j:+v���w�m������w�������h�����٥