Linux – iptables setup forwarding between two ethernet interface

debianiptableslinuxlinux-networking

I want to create a gateway on linux which has 2 interfaces
eth0 and eth1.

Eth1 is created by a lte modem and once the lte modem attaches to the network and gets an ip address. Then a dhcp server is run on the gateway to provide this IP address (example: 10.20.30.6) to the PC connected to the eth0 lan network.
then eth0 is assigned with ip address 10.20.30.1

Now eth1 itself is not assigned any ip address.

Now i would like to forward all the packets received from pc on the lan interface eth0 to the eth1 wan interface.

Kindly suggest me the ip tables rules i need to use to create this forwarding.

Kindly note due to the limitation of the lte modem, bridge mode cannot be used and due to the limitation of the architecture to be created, NAT mode also cannot be used.

Best Answer

Where you are going, you don't need iptables.

What I understand you want to do is to have the gateway forward IP packets between two interfaces without the gateway performing any NAT on the forwarded packets. You can do this without any iptables rules.

My knowledge of LTE is lacking. So if there turns out to be any LTE specific caveats, I won't be able to help you with those. My answer will for the most part assume eth0 and eth1 are both running ordinary IPv4 over Ethernet.

First of all you need to ensure forwarding is enabled:

echo 1 >/proc/sys/net/ipv4/ip_forward

Packets arriving from the Internet will arrive on eth1. But the sender of those packets may need to perform ARP requests for 10.20.30.6 which isn't assigned to your gateway. So your gateway will not respond to those ARP requests unless you enable ARP proxying:

echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp

Once the ARP reply has been sent, the rest of the processing of incoming packets happens using ordinary IP packet forwarding, no magic needed.

Packets from the PC to the gateway require no tricks to arrive at the gateway through eth0. The tricky part then is how to get them to leave through the eth1 interface.

You need a default route. But the gateway for that route would presumably be 10.20.30.1, which you just assigned to eth0 on the gateway you are setting up. However if you know the MAC address of the original gateway, you can get this to work without needing a real gateway IP address.

First you invent a placeholder gateway IP address (should be an RFC 1918 address, which you don't need to communicate otherwise). For the example I'll assume 10.1.2.3:

ip neigh add 10.1.2.3 lladdr xx:xx:xx:xx:xx:xx dev eth1
ip route add 10.1.2.3 dev eth1
ip route add default via 10.1.2.3

Because 10.1.2.3 is created as a permanent entry in the ARP cache on your gateway, no ARP requests will be sent for this address. That means it will not be a problem that the next gateway is unaware of your chosen placeholder IP address.

Related Solutions

Linux bridge responding to arp on wrong interface

http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP should help you, if you ask the bridge to not answer to arp requests.

Linux Networking – How to Route Between Two Networks on Linux

If you have 2 NICs on a Linux box, both configured with IP's you don't have to add a route from one network to another. That will be done automatically.

Add a default gateway address on the WAN NIC. Do not do this in the configuration of the LAN NIC.

Then enable forwarding in the kernel:

echo 1 >> /proc/sys/net/ipv4/ip_forward

To make it auto-set this value on boot uncomment this line in/etc/sysctl.conf

#net.ipv4.ip_forward=1

Then set up some rules in iptables to perform the natting and forwarding:

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# We allow traffic from the LAN side
iptables -A INPUT -i eth0 -j ACCEPT

######################################################################
#
#                         ROUTING
#
######################################################################

# eth0 is LAN
# eth1 is WAN

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# fowarding
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

that should do it.

Best Answer

Related Solutions

Linux bridge responding to arp on wrong interface

Linux Networking – How to Route Between Two Networks on Linux

Related Topic