Re: SV: using iptables to route between subnets

[A <publicface@xxxxxxxxxx>]

whoops.  Posted the wrong value a few seconds ago.  Here's the requested 
one.

# sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1



On 02/16/2018 08:13 AM, A wrote:
> # sudo sysctl net.ipv6.conf.all.forwarding
> net.ipv6.conf.all.forwarding = 1
>
>
> On 02/16/2018 01:08 AM, André Paulsberg-Csibi (IBM Consultant) wrote:
> > Just one question , have you set the "net.ipv4.ip_forward" to 1 ( 
> > check with command ) :
> >
> > "sudo sysctl net.ipv4.ip_forward"
> >
> >
> > Best regards
> > André Paulsberg-Csibi
> > Senior Network Engineer
> > IBM Services AS
> >
> > -----Opprinnelig melding-----
> > Fra: netfilter-owner@xxxxxxxxxxxxxxx 
> > [mailto:netfilter-owner@xxxxxxxxxxxxxxx] På vegne av A
> > Sendt: fredag 16. februar 2018 06.53
> > Til: netfilter@xxxxxxxxxxxxxxx
> > Emne: Re: using iptables to route between subnets
> >
> >
> >
> > On 02/15/2018 08:15 PM, zrm wrote:
> > > On 02/15/2018 09:25 PM, A wrote:
> > > > I am trying to route packets between two internal/private subnets
> > > > 10.1.1.0/24 and 10.1.2.0/24 .  The second subnet happens to be 
> > > > wireless.
> > > >
> > > > I've read until my eyes bled and have been at this for several days.
> > > > I've tried a variety of different ways based on other's similar
> > > > posted attempts, and at this point things are a mess as you will see
> > > > below.  In addition to simple routing, I need to get my wireless
> > > > printer working too, which is essentially the real reason I'm doing
> > > > this, and I'm hoping that issue will be resolved by this as well.
> > > >
> > > >
> > > > This is a diagram of my network:
> > > > https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b0
> > > > 74b35ff4d/0?shared=true
> > > >
> > > >
> > > > These are the relevant rules:
> > > >
> > > > iptables-save -c | grep RULE
> > > >
> > > >
> > > > [1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m
> > > > comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN
> > > > address" -j DNAT --to-destination 10.1.1.1 [1:328] -A PREROUTING -d
> > > > 10.1.2.0/24 -m comment --comment "RULE 1A; if source WLAN rewrite as
> > > > LAN address" -j NETMAP --to 10.1.1.0/24 [26:3083] -A POSTROUTING -s
> > > > 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 2; after routing
> > > > rewrite to WAN address iff src LAN or WLAN, out WAN" -j MASQUERADE
> > > > [183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate
> > > > RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out
> > > > wireless, iff established." -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24
> > > > -i wlp2s0 -o enp4s5 -m comment --comment "RULE 4; in wireless out
> > > > LAN; iff dst LAN" -j ACCEPT [324:69828] -A FORWARD -s 10.1.0.0/16 !
> > > > -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5; src LAN or
> > > > WLAN, dst not LAN nor WLAN, out WAN" -j ACCEPT [0:0] -A FORWARD -s
> > > > 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5w;
> > > > src WLAN out WAN, iff dst not WLAN nor LAN" -j ACCEPT [0:0] -A
> > > > FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment --comment
> > > > "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT [1:76] -A
> > > > FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack --ctstate
> > > > RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN out LAN, iff
> > > > established and dst LAN" -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24 -i
> > > > enp6s0 -p tcp -m multiport --dports 80,443 -m comment --comment "RULE
> > > > 7 supplies a target for RULE 1" -j ACCEPT
> > > >
> > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > >
> > > > Some of them are obviously not getting hit, I don't know why. I'm not
> > > > really sure which I need, at this point I've grown dizzy from looking
> > > > at them.
> > > >
> > > >
> > > > Here are the full set of rules if you'd like to see, though the above
> > > > I think might suffice: http://fnpaste.com/qprP
> > > >
> > > > Thank you in advance for your help!
> > > That is more complicated than it needs to be. Also, you have a NETMAP
> > > rule in there which is probably causing problems.
> > >
> > > Try getting rid of that and replacing all the FORWARD rules with this:
> > >
> > > -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A
> > > FORWARD -i enp4s5 -s 10.1.1.0/24 -j ACCEPT -A FORWARD -i wlp2s0 -s
> > > 10.1.2.0/24 -j ACCEPT -A FORWARD -j REJECT
> > Thank you for responding!  I have done as you suggested.  Is this 
> > closer  http://fnpaste.com/goQN to what you were suggesting?  It's 
> > still not working.
> > --
> > To unsubscribe from this list: send the line "unsubscribe netfilter" 
> > in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo 
> > info at http://vger.kernel.org/majordomo-info.html
> > N�����r��y���b�X��ǧv�^�)޺{.n�+���z��׫�{ay�ʇڙ�,j��f���h���z��w������j:+v���w�j�m��������zZ+�����ݢj"��!tml= 
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html