Linux as a router between three networks (one is Internet)

iptableslinuxrouting

I have a Linux box that is routing between two networks X.X.3.0 and X.X.4.0 , I want it to be able to connect these networks to the Internet.

I have read here on the @Kevin's great answer that in order to be able to do so i have to use NAT which means iptables, my server right now doesn't use iptables so I need to find the right command in order to enable that.

my network can be described like this:
Internet <-(eth0) Linux Router <-[1](eth1) 192.168.3.0 <--[2](eth2) 192.168.4.0
The eth2 is connected to the Router directly.

The two local networks can talk with each other, but no one can even ping to a public IP address.
I have tried to sniff the packets in the Router, when i am issue the ping command to a public IP address on one machine in the .3.x network, but as far as i can tell there is a problem, and it seems to be with an endless ARP requests of the eth0 int about who has the 3.x IP address.
It seems that i have to enable on the Router to behave like a NAT too.
I have did a search and i couln't figure out the right command that i am need to issue with the iptables, although i have did try the commands that mentioned here and here.
I have had to ability to route between the two local networks without using iptables at all, and since i am don't need it i prefer not to use it, unless it's impossibole to do NAT without it (in that case i am prefer iptable that any other program).

to sum up the question:
1. i need to be able that all the three networks would be able to talk to each other.
2. i prefer no use iptables (if that possibole) or any other added program.
3. That's all.

Thanks.

Best Answer

The two local networks can talk to each other means you have ip_forward enabled. If the local networks can not ping public IP address means you need to do masquerading.

Are you able to ping public IP address from this linux box? If no then there must be some other problem. Maybe, you need to setup your router in bridged mode(It's only a guess).

I assume that your linux machine can ping public ip and there is public ip configured on eth0. So your internal network machines can not go outside to the Internet with the private ip address so you need to do natting. Try using iptables because it is pretty much straight forward.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

If you do not have iptables installed on your system. There must be some firewall installed by default. Which distro you are using?

Related Solutions

Linux: routing traffic between two networks with iptables

Actually, you don't really need iptables for basic routing - iptables helps you with filtering and NAT (and other things too).

You can activate packet forwarding with:

sysctl -w net.ipv4.conf.all.forwarding=1

Add net.ipv4.conf.all.forwarding=1 to /etc/sysctl.conf to make the setting stick.

In case you are filtering on the server (you can check this with iptables -nvL - if the FORWARD chain has policy ACCEPT you're not filtering), you need to add rules to allow the packets to be forwarded between networks:

iptables -I FORWARD -i eth0 -o wlan0 -s wi.red.net.work/24 -d wire.less.net.work/24 -j ACCEPT
iptables -I FORWARD -i wlan0 -o eth0 -s wire.less.net.work/24 -d wi.red.net.work/24 -j ACCEPT

If you aren't filtering but want to (you should too, by the way - see @Red Tux's comment, it's good practice to filter by default and allow only the minimum) add the previous rules plus this one:

iptables -P FORWARD DROP

This changes the policy so all packets not matching any rules are discarded.

Also, if you're going for real security, you should probably filter on the INPUT chain as well. This chain processes requests coming to your router with a destination IP that matches one of its own - that is, incoming connections (for example SSH). A sensible default would be:

iptables -I INPUT -i eth0 -s allowed.admin.ip.here -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -P INPUT DROP # make sure you've put your IP on the first rule before running this 
                       # or you'll lock you out of the server

This allows SSH only from a designed host in the wired network (take note of the warning), allows all traffic on the loopback interface (required by some software) and discards all the rest.

As you can see you can allow only some ports through using -p tcp|udp --dport N. You should consider doing this on the FORWARD chain too for increased security.

Linux Networking – How to Route Between Two Networks on Linux

If you have 2 NICs on a Linux box, both configured with IP's you don't have to add a route from one network to another. That will be done automatically.

Add a default gateway address on the WAN NIC. Do not do this in the configuration of the LAN NIC.

Then enable forwarding in the kernel:

echo 1 >> /proc/sys/net/ipv4/ip_forward

To make it auto-set this value on boot uncomment this line in/etc/sysctl.conf

#net.ipv4.ip_forward=1

Then set up some rules in iptables to perform the natting and forwarding:

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# We allow traffic from the LAN side
iptables -A INPUT -i eth0 -j ACCEPT

######################################################################
#
#                         ROUTING
#
######################################################################

# eth0 is LAN
# eth1 is WAN

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# fowarding
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

that should do it.

Best Answer

Related Solutions

Linux: routing traffic between two networks with iptables

Linux Networking – How to Route Between Two Networks on Linux

Related Topic