[TCLUG] Iptables routing problem

Mon Dec 13 07:25:51 CST 2004

On Mon, 13 Dec 2004, John Reese wrote:
> I work for a company that has nearly exhausted its Class C range of IP
> addresses. We decided to get by the problem by using a single Linux
> router running iptables to route the exhausted 192.168.1.0 network
> (eth0) to three LANs with numbers 192.168.101.0, 192.168.102.0, and
> 192.168.103.0 (eth1, eth2, and eth3). Our goal is to have clients inside
> those networks see a single server in the old 192.168.1.0 network. 

 Mmkay.  This is all fine and good, generally speaking.

> Since the new LANs are inside the production network (192.168.1.0), they
> face a trusted network and don't need to filter or firewall transactions
> across the router. The clients only need to see the server, and the
> server needs to see inside the new LANs in order to print to their
> printers.

 Okay.

> At first I thought the simplest solution would be the best, so I decided
> to use a NAT table.

 Huh?  Since this is all internal, NAT isn't needed.  If anything, it 
complicates matters unnecessarily.

> I set up a script to do all the requisites, such as flush all the 
> chains, start the ip_forward process in the /proc file system, modprobe 
> for relevent modules, etc.

 That's how you do it, especially if you allow forwarding between eth0 & 
eth1/eth2/eth3.  (And probably between all four, really.)

> Then I added one line to set up the NAT table:

 Err, no.  I don't think that's what you want to do.

> Of course, all the clients in the new LANs can see the server, but now
> the server can't see printers or anything else inside the new LANs.

 Does the server know that it has to go to <router's eth0 address> to get 
to 192.168.101.0/24 (et al)?  I.e.,

# route add -net 192.168.101.0/24 gw 192.168.1.xxx

 (Huh, I didn't know using /24 in that context worked -- neat!)
 You'll probably need to tell your router to the outside where it needs to 
send packets for those subnets, too.

> 1. How do I write a DNAT PREROUTING statement to accommodate all three
> interfaces, and/or:

 I wouldn't.  YMMV.

> 2. Is NAT the solution? Or should I be using a filter table instead of a
> NAT table to accomplish this goal?

 Do you need filtering?  Is there some reason to distrust the 
192.168.10x.0 subnets?  (Well, users are there, but besides that.)

     Jima

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list