Makes perfect since. Thank you SOOOOOOOO much. I am headed to the data center now to put this into place. > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > bounces@xxxxxxxxxx] On Behalf Of Harry Hoffman > Sent: Friday, July 08, 2011 1:53 PM > To: General Red Hat Linux discussion list > Subject: Re: IPtables router / gateway > > Hi Steve, > > I think you are over-thinking this problem... > > If I understand you correctly (and please correct me if I'm wrong), you want > to act purely as a router. That is to pass traffic from one IP Address to the > next without any manipulation of the addresses (SNAT/DNAT). > > You have a setup that looks something like: > > ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS > > Where all are public ip addresses. > > In order to accomplish this all that you need to do is setup ip forwarding on > your linux gateway and then pass all forwarded packets. > You don't want to do any SNAT/DNAT at all. > > Ensure that you have the following line in /etc/sysctl.conf: > net.ipv4.ip_forward = 1 > > Then ensure that /etc/sysconfig/iptables allows forwarding: > *filter > ... > :FORWARD ACCEPT [0:0] > ... > > > eth0 should be a different subnet then eth1. And since you already have > your clients setup to use eth1 as the default gateway then eth0 just needs to > know where to send things that aren't on it's own network. > > Does this make sense? > > Cheers, > Harry > > > On 07/08/2011 01:24 PM, Steven Buehler wrote: > > > >> -----Original Message----- > >> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- > >> bounces@xxxxxxxxxx] On Behalf Of Harry Hoffman > >> Sent: Friday, July 08, 2011 8:24 AM > >> To: General Red Hat Linux discussion list > >> Subject: Re: IPtables router / gateway > >> > >> You need to change the default gateway on your servers to be the new > >> Linux box and then use a interior routing protocol on that box to > >> talk to its > > next hop > >> router or setup static routes. > >> Cheers, > >> Harry > >> > >> Steven Buehler <steve@xxxxxxxxxxxx> wrote: > >> > >>> I am running some servers in a data center and I have now been > >>> informed that since I have a Class C of IP's, that I have to be my > >>> own gateway as they are making some changes because of a buyout. I > >>> have an extra server with 2 nics to do this with, but everything I > >>> can find on the internet for iptables is for NATing public IP's on > >>> eth0 to local IP's through eth1. I can do that as I have for > >>> another company forwarding > >> remote IP's to the LAN IP address of a > >>> server. I need this server to be setup with the 22.22.22.1 IP as the > >>> gateway and forward all other IP's in that netblock to the internal > >>> interface and allow all of those machines total access to the > >>> internet through this server as the gateway and don't want to use > >>> NAT as some of the software I am running would have MAJOR problems > >>> with that. Plus, I don't want to have to change all of the IP's > >>> that are already on the other servers using the provider as the gateway. > >>> > > > > Ok, so if my linux box is the gateway of 22.22.22.1. My other servers > > are already setup to use 22.22.22.1 as the default gateway, but at the > > moment I am NOT my own default gateway. I have to get my script > > correct first so that the server is ready when the upstream provider > > switches me. Here is my script to set it up. Can you see anything > > that is missing? I am sure that I have the forwarding rules wrong as > > I want anything coming from one of my servers to look like it is > > coming from it's IP (Example 22.22.22.28) and not from the gateway IP. > > If I read correctly, the MASQUERADE would make all of the IP's look > > like the gateway IP, correct? Anyway, here is my script for the linux > > box to use as gateway router. My internal LAN address for eth1 is > > 192.168.3.12 but all of my internal servers need to use the public IP > > that I have assigned to them. Some of my internal servers only have one > NIC on them (old). > > > > #!/bin/sh > > # > > # To make sure that forwarding stays on, edit /etc/sysctl.conf and > > change 0 to 1 for # net.ipv4.ip_forward = 1 # The location of the > > iptables and kernel module programs IPTABLES=/sbin/iptables > > DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe > IFCONFIG=/sbin/ifconfig > > GREP=/bin/grep AWK=/bin/awk SED=/bin/sed > > > > #Setting the EXTERNAL and INTERNAL interfaces for the network > > EXTIF="eth0" > > INTIF="eth1" > > EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | > > $SED -e 's/.*://'`" > > INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' | > > $SED -e 's/.*://'`" > > echo " External Interface: $EXTIF $EXTIP" > > echo " Internal Interface: $INTIF $INTIP" > > > > > > echo -en " loading modules: " > > > > # Need to verify that all modules have all required dependencies # > > echo " - Verifying that all kernel modules are ok" > > $DEPMOD -a > > > > echo > > "----------------------------------------------------------------------" > > > > #Load the main body of the IPTABLES module - "iptable" > > echo -en "ip_tables, " > > $MODPROBE ip_tables > > > > #Load the stateful connection tracking framework - "ip_conntrack" > > echo -en "ip_conntrack, " > > $MODPROBE ip_conntrack > > > > #Load the FTP tracking mechanism for full FTP tracking echo -en > > "ip_conntrack_ftp, " > > $MODPROBE ip_conntrack_ftp > > > > #Load the IRC tracking mechanism for full IRC tracking echo -en > > "ip_conntrack_irc, " > > $MODPROBE ip_conntrack_irc > > > > #Load the general IPTABLES NAT code - "iptable_nat" > > echo -en "iptable_nat, " > > $MODPROBE iptable_nat > > > > #Loads the FTP NAT functionality into the core IPTABLES code echo -en > > "ip_nat_ftp, " > > $MODPROBE ip_nat_ftp > > > > echo -en "ipt_masquerade, " > > $MODPROBE ipt_MASQUERADE > > > > #Loads the IRC NAT functionality into the core IPTABLES code # > > Required to support NAT of IRC DCC requests # # Disabled by default -- > > remove the "#" on the next line to activate # echo -e "ip_nat_irc" > > $MODPROBE ip_nat_irc > > > > echo > > "----------------------------------------------------------------------" > > > > echo -e " Done loading modules.\n" > > > > #CRITICAL: Enable IP forwarding since it is disabled by default since > > echo " Enabling forwarding.." > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > #Clearing any previous configuration > > echo " Clearing any existing rules and setting default policy.." > > $IPTABLES -P INPUT ACCEPT > > $IPTABLES -F INPUT > > $IPTABLES -P OUTPUT ACCEPT > > $IPTABLES -F OUTPUT > > #$IPTABLES -P FORWARD DROP > > $IPTABLES -F FORWARD > > $IPTABLES -t nat -F > > > > $IPTABLES -A INPUT -i lo -j ACCEPT > > $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport > > --dports > > 22 -j ACCEPT > > $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT > > > > > > > ########################################################## > ############ > > ###### > > ### > > # PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND > PREROUTING FOR > > EACH ONE # > > > ########################################################## > ############ > > ###### > > ### > > > > echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" > > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > > > echo " FWD: Allow all connections OUT and only existing and related ones > > IN" > > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state > > ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o > $EXTIF > > -j ACCEPT $IPTABLES -A FORWARD -j LOG > > > > echo " Enabling SNAT (MASQUERADE) functionality on $INTIF" > > $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE > > > > ######################## > > # END FORWARDING RULES # > > ######################## > > > > $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT $IPTABLES > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > > > $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > > > > echo -e "\ndone.\n" > > > > > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
