Steve, One other thing is that for new incoming traffic you're upstream ISP will need to know to forward all of your /24 traffic to your linux box otherwise things won't work. Cheers, Harry On 07/08/2011 03:12 PM, Steven Buehler wrote: > Makes perfect since. Thank you SOOOOOOOO much. I am headed to the data > center now to put this into place. > >> -----Original Message----- >> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- >> bounces@xxxxxxxxxx] On Behalf Of Harry Hoffman >> Sent: Friday, July 08, 2011 1:53 PM >> To: General Red Hat Linux discussion list >> Subject: Re: IPtables router / gateway >> >> Hi Steve, >> >> I think you are over-thinking this problem... >> >> If I understand you correctly (and please correct me if I'm wrong), you > want >> to act purely as a router. That is to pass traffic from one IP Address to > the >> next without any manipulation of the addresses (SNAT/DNAT). >> >> You have a setup that looks something like: >> >> ISP_GW<--eth0>UR_LINUX_BOX<eth1-->YOUR_SERVERS >> >> Where all are public ip addresses. >> >> In order to accomplish this all that you need to do is setup ip forwarding > on >> your linux gateway and then pass all forwarded packets. >> You don't want to do any SNAT/DNAT at all. >> >> Ensure that you have the following line in /etc/sysctl.conf: >> net.ipv4.ip_forward = 1 >> >> Then ensure that /etc/sysconfig/iptables allows forwarding: >> *filter >> ... >> :FORWARD ACCEPT [0:0] >> ... >> >> >> eth0 should be a different subnet then eth1. And since you already have >> your clients setup to use eth1 as the default gateway then eth0 just needs > to >> know where to send things that aren't on it's own network. >> >> Does this make sense? >> >> Cheers, >> Harry >> >> >> On 07/08/2011 01:24 PM, Steven Buehler wrote: >>> >>>> -----Original Message----- >>>> From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list- >>>> bounces@xxxxxxxxxx] On Behalf Of Harry Hoffman >>>> Sent: Friday, July 08, 2011 8:24 AM >>>> To: General Red Hat Linux discussion list >>>> Subject: Re: IPtables router / gateway >>>> >>>> You need to change the default gateway on your servers to be the new >>>> Linux box and then use a interior routing protocol on that box to >>>> talk to its >>> next hop >>>> router or setup static routes. >>>> Cheers, >>>> Harry >>>> >>>> Steven Buehler <steve@xxxxxxxxxxxx> wrote: >>>> >>>>> I am running some servers in a data center and I have now been >>>>> informed that since I have a Class C of IP's, that I have to be my >>>>> own gateway as they are making some changes because of a buyout. I >>>>> have an extra server with 2 nics to do this with, but everything I >>>>> can find on the internet for iptables is for NATing public IP's on >>>>> eth0 to local IP's through eth1. I can do that as I have for >>>>> another company forwarding >>>> remote IP's to the LAN IP address of a >>>>> server. I need this server to be setup with the 22.22.22.1 IP as the >>>>> gateway and forward all other IP's in that netblock to the internal >>>>> interface and allow all of those machines total access to the >>>>> internet through this server as the gateway and don't want to use >>>>> NAT as some of the software I am running would have MAJOR problems >>>>> with that. Plus, I don't want to have to change all of the IP's >>>>> that are already on the other servers using the provider as the > gateway. >>>>> >>> >>> Ok, so if my linux box is the gateway of 22.22.22.1. My other servers >>> are already setup to use 22.22.22.1 as the default gateway, but at the >>> moment I am NOT my own default gateway. I have to get my script >>> correct first so that the server is ready when the upstream provider >>> switches me. Here is my script to set it up. Can you see anything >>> that is missing? I am sure that I have the forwarding rules wrong as >>> I want anything coming from one of my servers to look like it is >>> coming from it's IP (Example 22.22.22.28) and not from the gateway IP. >>> If I read correctly, the MASQUERADE would make all of the IP's look >>> like the gateway IP, correct? Anyway, here is my script for the linux >>> box to use as gateway router. My internal LAN address for eth1 is >>> 192.168.3.12 but all of my internal servers need to use the public IP >>> that I have assigned to them. Some of my internal servers only have one >> NIC on them (old). >>> >>> #!/bin/sh >>> # >>> # To make sure that forwarding stays on, edit /etc/sysctl.conf and >>> change 0 to 1 for # net.ipv4.ip_forward = 1 # The location of the >>> iptables and kernel module programs IPTABLES=/sbin/iptables >>> DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe >> IFCONFIG=/sbin/ifconfig >>> GREP=/bin/grep AWK=/bin/awk SED=/bin/sed >>> >>> #Setting the EXTERNAL and INTERNAL interfaces for the network >>> EXTIF="eth0" >>> INTIF="eth1" >>> EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | >>> $SED -e 's/.*://'`" >>> INTIP="`$IFCONFIG $INTIF | $GREP 'inet addr' | $AWK '{print $2}' | >>> $SED -e 's/.*://'`" >>> echo " External Interface: $EXTIF $EXTIP" >>> echo " Internal Interface: $INTIF $INTIP" >>> >>> >>> echo -en " loading modules: " >>> >>> # Need to verify that all modules have all required dependencies # >>> echo " - Verifying that all kernel modules are ok" >>> $DEPMOD -a >>> >>> echo >>> "----------------------------------------------------------------------" >>> >>> #Load the main body of the IPTABLES module - "iptable" >>> echo -en "ip_tables, " >>> $MODPROBE ip_tables >>> >>> #Load the stateful connection tracking framework - "ip_conntrack" >>> echo -en "ip_conntrack, " >>> $MODPROBE ip_conntrack >>> >>> #Load the FTP tracking mechanism for full FTP tracking echo -en >>> "ip_conntrack_ftp, " >>> $MODPROBE ip_conntrack_ftp >>> >>> #Load the IRC tracking mechanism for full IRC tracking echo -en >>> "ip_conntrack_irc, " >>> $MODPROBE ip_conntrack_irc >>> >>> #Load the general IPTABLES NAT code - "iptable_nat" >>> echo -en "iptable_nat, " >>> $MODPROBE iptable_nat >>> >>> #Loads the FTP NAT functionality into the core IPTABLES code echo -en >>> "ip_nat_ftp, " >>> $MODPROBE ip_nat_ftp >>> >>> echo -en "ipt_masquerade, " >>> $MODPROBE ipt_MASQUERADE >>> >>> #Loads the IRC NAT functionality into the core IPTABLES code # >>> Required to support NAT of IRC DCC requests # # Disabled by default -- >>> remove the "#" on the next line to activate # echo -e "ip_nat_irc" >>> $MODPROBE ip_nat_irc >>> >>> echo >>> "----------------------------------------------------------------------" >>> >>> echo -e " Done loading modules.\n" >>> >>> #CRITICAL: Enable IP forwarding since it is disabled by default since >>> echo " Enabling forwarding.." >>> echo "1" > /proc/sys/net/ipv4/ip_forward >>> >>> #Clearing any previous configuration >>> echo " Clearing any existing rules and setting default policy.." >>> $IPTABLES -P INPUT ACCEPT >>> $IPTABLES -F INPUT >>> $IPTABLES -P OUTPUT ACCEPT >>> $IPTABLES -F OUTPUT >>> #$IPTABLES -P FORWARD DROP >>> $IPTABLES -F FORWARD >>> $IPTABLES -t nat -F >>> >>> $IPTABLES -A INPUT -i lo -j ACCEPT >>> $IPTABLES -A INPUT -p tcp -m state --state NEW -m tcp -m multiport >>> --dports >>> 22 -j ACCEPT >>> $IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT >>> >>> >>> >> ########################################################## >> ############ >>> ###### >>> ### >>> # PUT FORWARDING RULES BELOW. YOU NEED A FORWARD AND >> PREROUTING FOR >>> EACH ONE # >>> >> ########################################################## >> ############ >>> ###### >>> ### >>> >>> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" >>> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE >>> >>> echo " FWD: Allow all connections OUT and only existing and related > ones >>> IN" >>> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state >>> ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o >> $EXTIF >>> -j ACCEPT $IPTABLES -A FORWARD -j LOG >>> >>> echo " Enabling SNAT (MASQUERADE) functionality on $INTIF" >>> $IPTABLES -t nat -A POSTROUTING -o $INTIF -j MASQUERADE >>> >>> ######################## >>> # END FORWARDING RULES # >>> ######################## >>> >>> $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >>> $IPTABLES -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT $IPTABLES >>> -A INPUT -j REJECT --reject-with icmp-host-prohibited >>> >>> $IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT >>> >>> echo -e "\ndone.\n" >>> >>> >>> >> >> -- >> redhat-list mailing list >> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >> https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
