> -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > bounces@xxxxxxxxxx] On Behalf Of Harry Hoffman > Sent: Friday, July 08, 2011 8:24 AM > To: General Red Hat Linux discussion list > Subject: Re: IPtables router / gateway > > You need to change the default gateway on your servers to be the new Linux > box and then use a interior routing protocol on that box to talk to its next hop > router or setup static routes. > Cheers, > Harry > > Steven Buehler <steve@xxxxxxxxxxxx> wrote: > > >I am running some servers in a data center and I have now been informed > >that since I have a Class C of IP's, that I have to be my own gateway > >as they are making some changes because of a buyout. I have an extra > >server with 2 nics to do this with, but everything I can find on the > >internet for iptables is for NATing public IP's on eth0 to local IP's > >through eth1. I can do that as I have for another company forwarding > remote IP's to the LAN IP address of a > >server. I need this server to be setup with the 22.22.22.1 IP as the > >gateway and forward all other IP's in that netblock to the internal > >interface and allow all of those machines total access to the internet > >through this server as the gateway and don't want to use NAT as some of > >the software I am running would have MAJOR problems with that. Plus, I > >don't want to have to change all of the IP's that are already on the > >other servers using the provider as the gateway. > > Ok, so if my linux box is the gateway of 22.22.22.1. My other servers are already setup to use 22.22.22.1 as the default gateway, but at the moment I am NOT my own default gateway. I have to get my script correct first so that the server is ready when the upstream provider switches me. Here is my script to set it up. Can you see anything that is missing? I am sure that I have the forwarding rules wrong as I want anything coming from one of my servers to look like it is coming from it's IP (Example 22.22.22.28) and not from the gateway IP. If I read correctly, the MASQUERADE would make all of the IP's look like the gateway IP, correct? Anyway, here is my script for the linux box to use as gateway router. My internal LAN address for eth1 is 192.168.3.12 but all of my internal servers need to use the public IP that I have assigned to them. Some of my internal servers only have one NIC on them (old). #!/bin/sh # # To make sure that forwarding stays on, edit /etc/sysctl.conf and change 0 to 1 for # net.ipv4.ip_forward = 1 # The location of the iptables and kernel module programs IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe IFCONFIG=/sbin/ifconfig GREP=/bin/grep AWK=/bin/awk SED=/bin/sed #Setting the EXTERNAL and INTERNAL interfaces for the network EXTIF="eth0" INTIF="eth1" EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e 's/.*://'`" INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' | $SED -e 's/.*://'`" echo " External Interface: $EXTIF $EXTIP" echo " Internal Interface: $INTIF $INTIP" echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "----------------------------------------------------------------------" #Load the main body of the IPTABLES module - "iptable" echo -en "ip_tables, " $MODPROBE ip_tables #Load the stateful connection tracking framework - "ip_conntrack" echo -en "ip_conntrack, " $MODPROBE ip_conntrack #Load the FTP tracking mechanism for full FTP tracking echo -en "ip_conntrack_ftp, " $MODPROBE ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking echo -en "ip_conntrack_irc, " $MODPROBE ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" echo -en "iptable_nat, " $MODPROBE iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code echo -en "ip_nat_ftp, " $MODPROBE ip_nat_ftp echo -en "ipt_masquerade, " $MODPROBE ipt_MASQUERADE #Loads the IRC NAT functionality into the core IPTABLES code # Required to support NAT of IRC DCC requests # # Disabled by default -- remove the "#" on the next line to activate # echo -e "ip_nat_irc" $MODPROBE ip_nat_irc echo "----------------------------------------------------------------------" echo -e " Done loading modules.\n" #CRITICAL: Enable IP forwarding since it is disabled by default since echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward #Clearing any previous configuration echo " Clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT #$IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 22 -j ACCEPT $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT ############################################################################ ### # PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND PREROUTING FOR EACH ONE # ############################################################################ ### echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $INTIF" $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE ######################## # END FORWARDING RULES # ######################## $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT $IPTABLES -A INPUT -j REJECT --reject-with icmp-host-prohibited $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT echo -e "\ndone.\n" -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
