This is more or less a pretty general question about forwarding and routing with ubuntu server or any linux system, i guess.
The server manages a school network and has 8 NICs – each on a different network.
- 7 leading to different classrooms.
- 1 leading into the network, that contains other servers (print server, domain controller, etc ..)
- finally this network has the another gateway in that network leads to the internet.
I want to:
- forward the traffic coming from the 7 classrooms to the network that contains the other servers/that leads to the internet
- forward some traffic the other way round (e.g. print-server to printers in classrooms)
I do not want to:
- configure NAT
- edit every routing-table on every single client-PC in the classrooms.
As I understood it, just enabling net.ipv4.ip_forward=1 via sysctl and sysctl.conf should have done the trick .. But it didn't.
After reading and trying out a lot of different stuff, I tried the following iptables-rule.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
eth0 being the network leading to the other servers and the internet.
And that worked .. but this is a NAT rule.
So my big question is:
Is there a way at all to do it without the NAT-rule?
Or:
What does it take, to do it without the NAT-rule?
Best Answer
This is a relatively simple setup... and linux can handle this without any troubles.
You're probably suffering from one or two problems.
1) No return routes to this "router".
For a router to do its job properly... every device needs to have a route to that router. (either directly attached... or attached to another router that knows about it.)
You can fix this relatively simply by adding a return route in the "Internet Router" of all networks attached to the "Linux Router". There are routing protocols that can do this for you automagically but in small-ish environments (such as this) they're generally much more work than it's worth.
2) Mixing private and public address space. Once your packet leaves the public internet space... it better have the source NATed with a public IP... or be legitimately from a public IP. Private network addresses are not routable from the public Internet.
The only way to get around this is to NAT or assign public address space to your network. NATing is relatively simple and secure... public address space can be very dangerous, as every machine would become a target of hackers.