* using iptables to route between subnets
[not found] <9835afd2-74b0-e5a8-e812-898869b06ad3@bak.rr.com>
@ 2018-02-16 2:25 ` A
2018-02-16 4:15 ` zrm
0 siblings, 1 reply; 6+ messages in thread
From: A @ 2018-02-16 2:25 UTC (permalink / raw)
To: netfilter
I am trying to route packets between two internal/private subnets
10.1.1.0/24 and 10.1.2.0/24 . The second subnet happens to be wireless.
I've read until my eyes bled and have been at this for several days.
I've tried a variety of different ways based on other's similar posted
attempts, and at this point things are a mess as you will see below. In
addition to simple routing, I need to get my wireless printer working
too, which is essentially the real reason I'm doing this, and I'm hoping
that issue will be resolved by this as well.
This is a diagram of my network:
https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b074b35ff4d/0?shared=true
These are the relevant rules:
iptables-save -c | grep RULE
[1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m
comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN
address" -j DNAT --to-destination 10.1.1.1
[1:328] -A PREROUTING -d 10.1.2.0/24 -m comment --comment "RULE 1A; if
source WLAN rewrite as LAN address" -j NETMAP --to 10.1.1.0/24
[26:3083] -A POSTROUTING -s 10.1.0.0/16 -o enp6s0 -m comment --comment
"RULE 2; after routing rewrite to WAN address iff src LAN or WLAN, out
WAN" -j MASQUERADE
[183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate
RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out wireless,
iff established." -j ACCEPT
[0:0] -A FORWARD -d 10.1.1.0/24 -i wlp2s0 -o enp4s5 -m comment --comment
"RULE 4; in wireless out LAN; iff dst LAN" -j ACCEPT
[324:69828] -A FORWARD -s 10.1.0.0/16 ! -d 10.1.0.0/16 -o enp6s0 -m
comment --comment "RULE 5; src LAN or WLAN, dst not LAN nor WLAN, out
WAN" -j ACCEPT
[0:0] -A FORWARD -s 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment
--comment "RULE 5w; src WLAN out WAN, iff dst not WLAN nor LAN" -j ACCEPT
[0:0] -A FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment
--comment "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT
[1:76] -A FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack
--ctstate RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN out
LAN, iff established and dst LAN" -j ACCEPT
[0:0] -A FORWARD -d 10.1.1.0/24 -i enp6s0 -p tcp -m multiport --dports
80,443 -m comment --comment "RULE 7 supplies a target for RULE 1" -j ACCEPT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Some of them are obviously not getting hit, I don't know why. I'm not
really sure which I need, at this point I've grown dizzy from looking at
them.
Here are the full set of rules if you'd like to see, though the above I
think might suffice: http://fnpaste.com/qprP
Thank you in advance for your help!
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: using iptables to route between subnets
2018-02-16 2:25 ` using iptables to route between subnets A
@ 2018-02-16 4:15 ` zrm
2018-02-16 5:53 ` A
0 siblings, 1 reply; 6+ messages in thread
From: zrm @ 2018-02-16 4:15 UTC (permalink / raw)
To: A, netfilter
On 02/15/2018 09:25 PM, A wrote:
> I am trying to route packets between two internal/private subnets
> 10.1.1.0/24 and 10.1.2.0/24 . The second subnet happens to be wireless.
>
> I've read until my eyes bled and have been at this for several days.
> I've tried a variety of different ways based on other's similar posted
> attempts, and at this point things are a mess as you will see below. In
> addition to simple routing, I need to get my wireless printer working
> too, which is essentially the real reason I'm doing this, and I'm hoping
> that issue will be resolved by this as well.
>
>
> This is a diagram of my network:
> https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b074b35ff4d/0?shared=true
>
>
> These are the relevant rules:
>
> iptables-save -c | grep RULE
>
>
> [1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m
> comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN
> address" -j DNAT --to-destination 10.1.1.1
> [1:328] -A PREROUTING -d 10.1.2.0/24 -m comment --comment "RULE 1A; if
> source WLAN rewrite as LAN address" -j NETMAP --to 10.1.1.0/24
> [26:3083] -A POSTROUTING -s 10.1.0.0/16 -o enp6s0 -m comment --comment
> "RULE 2; after routing rewrite to WAN address iff src LAN or WLAN, out
> WAN" -j MASQUERADE
> [183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate
> RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out wireless,
> iff established." -j ACCEPT
> [0:0] -A FORWARD -d 10.1.1.0/24 -i wlp2s0 -o enp4s5 -m comment --comment
> "RULE 4; in wireless out LAN; iff dst LAN" -j ACCEPT
> [324:69828] -A FORWARD -s 10.1.0.0/16 ! -d 10.1.0.0/16 -o enp6s0 -m
> comment --comment "RULE 5; src LAN or WLAN, dst not LAN nor WLAN, out
> WAN" -j ACCEPT
> [0:0] -A FORWARD -s 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment
> --comment "RULE 5w; src WLAN out WAN, iff dst not WLAN nor LAN" -j ACCEPT
> [0:0] -A FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment
> --comment "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT
> [1:76] -A FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack
> --ctstate RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN out
> LAN, iff established and dst LAN" -j ACCEPT
> [0:0] -A FORWARD -d 10.1.1.0/24 -i enp6s0 -p tcp -m multiport --dports
> 80,443 -m comment --comment "RULE 7 supplies a target for RULE 1" -j ACCEPT
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Some of them are obviously not getting hit, I don't know why. I'm not
> really sure which I need, at this point I've grown dizzy from looking at
> them.
>
>
> Here are the full set of rules if you'd like to see, though the above I
> think might suffice: http://fnpaste.com/qprP
>
> Thank you in advance for your help!
That is more complicated than it needs to be. Also, you have a NETMAP
rule in there which is probably causing problems.
Try getting rid of that and replacing all the FORWARD rules with this:
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i enp4s5 -s 10.1.1.0/24 -j ACCEPT
-A FORWARD -i wlp2s0 -s 10.1.2.0/24 -j ACCEPT
-A FORWARD -j REJECT
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: using iptables to route between subnets
2018-02-16 4:15 ` zrm
@ 2018-02-16 5:53 ` A
2018-02-16 9:08 ` SV: " André Paulsberg-Csibi (IBM Consultant)
0 siblings, 1 reply; 6+ messages in thread
From: A @ 2018-02-16 5:53 UTC (permalink / raw)
To: netfilter
On 02/15/2018 08:15 PM, zrm wrote:
> On 02/15/2018 09:25 PM, A wrote:
>> I am trying to route packets between two internal/private subnets
>> 10.1.1.0/24 and 10.1.2.0/24 . The second subnet happens to be wireless.
>>
>> I've read until my eyes bled and have been at this for several days.
>> I've tried a variety of different ways based on other's similar
>> posted attempts, and at this point things are a mess as you will see
>> below. In addition to simple routing, I need to get my wireless
>> printer working too, which is essentially the real reason I'm doing
>> this, and I'm hoping that issue will be resolved by this as well.
>>
>>
>> This is a diagram of my network:
>> https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b074b35ff4d/0?shared=true
>>
>>
>> These are the relevant rules:
>>
>> iptables-save -c | grep RULE
>>
>>
>> [1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m
>> comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN
>> address" -j DNAT --to-destination 10.1.1.1
>> [1:328] -A PREROUTING -d 10.1.2.0/24 -m comment --comment "RULE 1A;
>> if source WLAN rewrite as LAN address" -j NETMAP --to 10.1.1.0/24
>> [26:3083] -A POSTROUTING -s 10.1.0.0/16 -o enp6s0 -m comment
>> --comment "RULE 2; after routing rewrite to WAN address iff src LAN
>> or WLAN, out WAN" -j MASQUERADE
>> [183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate
>> RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out
>> wireless, iff established." -j ACCEPT
>> [0:0] -A FORWARD -d 10.1.1.0/24 -i wlp2s0 -o enp4s5 -m comment
>> --comment "RULE 4; in wireless out LAN; iff dst LAN" -j ACCEPT
>> [324:69828] -A FORWARD -s 10.1.0.0/16 ! -d 10.1.0.0/16 -o enp6s0 -m
>> comment --comment "RULE 5; src LAN or WLAN, dst not LAN nor WLAN, out
>> WAN" -j ACCEPT
>> [0:0] -A FORWARD -s 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment
>> --comment "RULE 5w; src WLAN out WAN, iff dst not WLAN nor LAN" -j
>> ACCEPT
>> [0:0] -A FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment
>> --comment "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT
>> [1:76] -A FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack
>> --ctstate RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN
>> out LAN, iff established and dst LAN" -j ACCEPT
>> [0:0] -A FORWARD -d 10.1.1.0/24 -i enp6s0 -p tcp -m multiport
>> --dports 80,443 -m comment --comment "RULE 7 supplies a target for
>> RULE 1" -j ACCEPT
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Some of them are obviously not getting hit, I don't know why. I'm not
>> really sure which I need, at this point I've grown dizzy from looking
>> at them.
>>
>>
>> Here are the full set of rules if you'd like to see, though the above
>> I think might suffice: http://fnpaste.com/qprP
>>
>> Thank you in advance for your help!
>
> That is more complicated than it needs to be. Also, you have a NETMAP
> rule in there which is probably causing problems.
>
> Try getting rid of that and replacing all the FORWARD rules with this:
>
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i enp4s5 -s 10.1.1.0/24 -j ACCEPT
> -A FORWARD -i wlp2s0 -s 10.1.2.0/24 -j ACCEPT
> -A FORWARD -j REJECT
>
>
Thank you for responding! I have done as you suggested. Is this
closer http://fnpaste.com/goQN to what you were suggesting? It's still
not working.
^ permalink raw reply [flat|nested] 6+ messages in thread
* SV: using iptables to route between subnets
2018-02-16 5:53 ` A
@ 2018-02-16 9:08 ` André Paulsberg-Csibi (IBM Consultant)
2018-02-16 16:13 ` A
0 siblings, 1 reply; 6+ messages in thread
From: André Paulsberg-Csibi (IBM Consultant) @ 2018-02-16 9:08 UTC (permalink / raw)
To: 'A', netfilter
Just one question , have you set the "net.ipv4.ip_forward" to 1 ( check with command ) :
"sudo sysctl net.ipv4.ip_forward"
Best regards
André Paulsberg-Csibi
Senior Network Engineer
IBM Services AS
-----Opprinnelig melding-----
Fra: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] PÃ¥ vegne av A
Sendt: fredag 16. februar 2018 06.53
Til: netfilter@vger.kernel.org
Emne: Re: using iptables to route between subnets
On 02/15/2018 08:15 PM, zrm wrote:
> On 02/15/2018 09:25 PM, A wrote:
>> I am trying to route packets between two internal/private subnets
>> 10.1.1.0/24 and 10.1.2.0/24 . The second subnet happens to be wireless.
>>
>> I've read until my eyes bled and have been at this for several days.
>> I've tried a variety of different ways based on other's similar
>> posted attempts, and at this point things are a mess as you will see
>> below. In addition to simple routing, I need to get my wireless
>> printer working too, which is essentially the real reason I'm doing
>> this, and I'm hoping that issue will be resolved by this as well.
>>
>>
>> This is a diagram of my network:
>> https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b0
>> 74b35ff4d/0?shared=true
>>
>>
>> These are the relevant rules:
>>
>> iptables-save -c | grep RULE
>>
>>
>> [1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m
>> comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN
>> address" -j DNAT --to-destination 10.1.1.1 [1:328] -A PREROUTING -d
>> 10.1.2.0/24 -m comment --comment "RULE 1A; if source WLAN rewrite as
>> LAN address" -j NETMAP --to 10.1.1.0/24 [26:3083] -A POSTROUTING -s
>> 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 2; after routing
>> rewrite to WAN address iff src LAN or WLAN, out WAN" -j MASQUERADE
>> [183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate
>> RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out
>> wireless, iff established." -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24
>> -i wlp2s0 -o enp4s5 -m comment --comment "RULE 4; in wireless out
>> LAN; iff dst LAN" -j ACCEPT [324:69828] -A FORWARD -s 10.1.0.0/16 !
>> -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5; src LAN or
>> WLAN, dst not LAN nor WLAN, out WAN" -j ACCEPT [0:0] -A FORWARD -s
>> 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5w;
>> src WLAN out WAN, iff dst not WLAN nor LAN" -j ACCEPT [0:0] -A
>> FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment --comment
>> "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT [1:76] -A
>> FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack --ctstate
>> RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN out LAN, iff
>> established and dst LAN" -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24 -i
>> enp6s0 -p tcp -m multiport --dports 80,443 -m comment --comment "RULE
>> 7 supplies a target for RULE 1" -j ACCEPT
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> Some of them are obviously not getting hit, I don't know why. I'm not
>> really sure which I need, at this point I've grown dizzy from looking
>> at them.
>>
>>
>> Here are the full set of rules if you'd like to see, though the above
>> I think might suffice: http://fnpaste.com/qprP
>>
>> Thank you in advance for your help!
>
> That is more complicated than it needs to be. Also, you have a NETMAP
> rule in there which is probably causing problems.
>
> Try getting rid of that and replacing all the FORWARD rules with this:
>
> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A
> FORWARD -i enp4s5 -s 10.1.1.0/24 -j ACCEPT -A FORWARD -i wlp2s0 -s
> 10.1.2.0/24 -j ACCEPT -A FORWARD -j REJECT
>
>
Thank you for responding! I have done as you suggested. Is this closer http://fnpaste.com/goQN to what you were suggesting? It's still not working.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SV: using iptables to route between subnets
2018-02-16 9:08 ` SV: " André Paulsberg-Csibi (IBM Consultant)
@ 2018-02-16 16:13 ` A
2018-02-16 16:14 ` A
0 siblings, 1 reply; 6+ messages in thread
From: A @ 2018-02-16 16:13 UTC (permalink / raw)
To: netfilter
# sudo sysctl net.ipv6.conf.all.forwarding
net.ipv6.conf.all.forwarding = 1
On 02/16/2018 01:08 AM, André Paulsberg-Csibi (IBM Consultant) wrote:
> Just one question , have you set the "net.ipv4.ip_forward" to 1 ( check with command ) :
>
> "sudo sysctl net.ipv4.ip_forward"
>
>
> Best regards
> André Paulsberg-Csibi
> Senior Network Engineer
> IBM Services AS
>
> -----Opprinnelig melding-----
> Fra: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] På vegne av A
> Sendt: fredag 16. februar 2018 06.53
> Til: netfilter@vger.kernel.org
> Emne: Re: using iptables to route between subnets
>
>
>
> On 02/15/2018 08:15 PM, zrm wrote:
>> On 02/15/2018 09:25 PM, A wrote:
>>> I am trying to route packets between two internal/private subnets
>>> 10.1.1.0/24 and 10.1.2.0/24 . The second subnet happens to be wireless.
>>>
>>> I've read until my eyes bled and have been at this for several days.
>>> I've tried a variety of different ways based on other's similar
>>> posted attempts, and at this point things are a mess as you will see
>>> below. In addition to simple routing, I need to get my wireless
>>> printer working too, which is essentially the real reason I'm doing
>>> this, and I'm hoping that issue will be resolved by this as well.
>>>
>>>
>>> This is a diagram of my network:
>>> https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b0
>>> 74b35ff4d/0?shared=true
>>>
>>>
>>> These are the relevant rules:
>>>
>>> iptables-save -c | grep RULE
>>>
>>>
>>> [1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m
>>> comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN
>>> address" -j DNAT --to-destination 10.1.1.1 [1:328] -A PREROUTING -d
>>> 10.1.2.0/24 -m comment --comment "RULE 1A; if source WLAN rewrite as
>>> LAN address" -j NETMAP --to 10.1.1.0/24 [26:3083] -A POSTROUTING -s
>>> 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 2; after routing
>>> rewrite to WAN address iff src LAN or WLAN, out WAN" -j MASQUERADE
>>> [183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate
>>> RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out
>>> wireless, iff established." -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24
>>> -i wlp2s0 -o enp4s5 -m comment --comment "RULE 4; in wireless out
>>> LAN; iff dst LAN" -j ACCEPT [324:69828] -A FORWARD -s 10.1.0.0/16 !
>>> -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5; src LAN or
>>> WLAN, dst not LAN nor WLAN, out WAN" -j ACCEPT [0:0] -A FORWARD -s
>>> 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5w;
>>> src WLAN out WAN, iff dst not WLAN nor LAN" -j ACCEPT [0:0] -A
>>> FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment --comment
>>> "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT [1:76] -A
>>> FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack --ctstate
>>> RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN out LAN, iff
>>> established and dst LAN" -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24 -i
>>> enp6s0 -p tcp -m multiport --dports 80,443 -m comment --comment "RULE
>>> 7 supplies a target for RULE 1" -j ACCEPT
>>>
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>
>>> Some of them are obviously not getting hit, I don't know why. I'm not
>>> really sure which I need, at this point I've grown dizzy from looking
>>> at them.
>>>
>>>
>>> Here are the full set of rules if you'd like to see, though the above
>>> I think might suffice: http://fnpaste.com/qprP
>>>
>>> Thank you in advance for your help!
>> That is more complicated than it needs to be. Also, you have a NETMAP
>> rule in there which is probably causing problems.
>>
>> Try getting rid of that and replacing all the FORWARD rules with this:
>>
>> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A
>> FORWARD -i enp4s5 -s 10.1.1.0/24 -j ACCEPT -A FORWARD -i wlp2s0 -s
>> 10.1.2.0/24 -j ACCEPT -A FORWARD -j REJECT
>>
>>
> Thank you for responding! I have done as you suggested. Is this closer http://fnpaste.com/goQN to what you were suggesting? It's still not working.
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
> N�����r��y���b�X��ǧv�^�){.n�+���z���{ay�\x1dʇڙ�,j\a��f���h���z�\x1e�w���\f���j:+v���w�j�m����\a����zZ+�����ݢj"��!tml=
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: SV: using iptables to route between subnets
2018-02-16 16:13 ` A
@ 2018-02-16 16:14 ` A
0 siblings, 0 replies; 6+ messages in thread
From: A @ 2018-02-16 16:14 UTC (permalink / raw)
To: netfilter
whoops. Posted the wrong value a few seconds ago. Here's the requested
one.
# sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
On 02/16/2018 08:13 AM, A wrote:
> # sudo sysctl net.ipv6.conf.all.forwarding
> net.ipv6.conf.all.forwarding = 1
>
>
> On 02/16/2018 01:08 AM, André Paulsberg-Csibi (IBM Consultant) wrote:
>> Just one question , have you set the "net.ipv4.ip_forward" to 1 (
>> check with command ) :
>>
>> "sudo sysctl net.ipv4.ip_forward"
>>
>>
>> Best regards
>> André Paulsberg-Csibi
>> Senior Network Engineer
>> IBM Services AS
>>
>> -----Opprinnelig melding-----
>> Fra: netfilter-owner@vger.kernel.org
>> [mailto:netfilter-owner@vger.kernel.org] På vegne av A
>> Sendt: fredag 16. februar 2018 06.53
>> Til: netfilter@vger.kernel.org
>> Emne: Re: using iptables to route between subnets
>>
>>
>>
>> On 02/15/2018 08:15 PM, zrm wrote:
>>> On 02/15/2018 09:25 PM, A wrote:
>>>> I am trying to route packets between two internal/private subnets
>>>> 10.1.1.0/24 and 10.1.2.0/24 . The second subnet happens to be
>>>> wireless.
>>>>
>>>> I've read until my eyes bled and have been at this for several days.
>>>> I've tried a variety of different ways based on other's similar
>>>> posted attempts, and at this point things are a mess as you will see
>>>> below. In addition to simple routing, I need to get my wireless
>>>> printer working too, which is essentially the real reason I'm doing
>>>> this, and I'm hoping that issue will be resolved by this as well.
>>>>
>>>>
>>>> This is a diagram of my network:
>>>> https://www.lucidchart.com/documents/edit/58779470-32c0-407d-8111-0b0
>>>> 74b35ff4d/0?shared=true
>>>>
>>>>
>>>> These are the relevant rules:
>>>>
>>>> iptables-save -c | grep RULE
>>>>
>>>>
>>>> [1:40] -A PREROUTING -i enp6s0 -p tcp -m multiport --dports 80,443 -m
>>>> comment --comment "RULE 1; in WAN port 80,443; rewrite dst as LAN
>>>> address" -j DNAT --to-destination 10.1.1.1 [1:328] -A PREROUTING -d
>>>> 10.1.2.0/24 -m comment --comment "RULE 1A; if source WLAN rewrite as
>>>> LAN address" -j NETMAP --to 10.1.1.0/24 [26:3083] -A POSTROUTING -s
>>>> 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 2; after routing
>>>> rewrite to WAN address iff src LAN or WLAN, out WAN" -j MASQUERADE
>>>> [183:72318] -A FORWARD -i enp6s0 -o wlp2s0 -m conntrack --ctstate
>>>> RELATED,ESTABLISHED -m comment --comment "RULE 3; in WAN; out
>>>> wireless, iff established." -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24
>>>> -i wlp2s0 -o enp4s5 -m comment --comment "RULE 4; in wireless out
>>>> LAN; iff dst LAN" -j ACCEPT [324:69828] -A FORWARD -s 10.1.0.0/16 !
>>>> -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5; src LAN or
>>>> WLAN, dst not LAN nor WLAN, out WAN" -j ACCEPT [0:0] -A FORWARD -s
>>>> 10.1.2.0/24 ! -d 10.1.0.0/16 -o enp6s0 -m comment --comment "RULE 5w;
>>>> src WLAN out WAN, iff dst not WLAN nor LAN" -j ACCEPT [0:0] -A
>>>> FORWARD -s 10.1.0.0/16 -d 10.1.2.0/24 -o wlp2s0 -m comment --comment
>>>> "RULE 8; src LAN or WLAN, dst WLAN, out WLAN" -j ACCEPT [1:76] -A
>>>> FORWARD -d 10.1.1.0/24 -i enp6s0 -o enp4s5 -m conntrack --ctstate
>>>> RELATED,ESTABLISHED -m comment --comment "RULE 6; in WAN out LAN, iff
>>>> established and dst LAN" -j ACCEPT [0:0] -A FORWARD -d 10.1.1.0/24 -i
>>>> enp6s0 -p tcp -m multiport --dports 80,443 -m comment --comment "RULE
>>>> 7 supplies a target for RULE 1" -j ACCEPT
>>>>
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>>
>>>> Some of them are obviously not getting hit, I don't know why. I'm not
>>>> really sure which I need, at this point I've grown dizzy from looking
>>>> at them.
>>>>
>>>>
>>>> Here are the full set of rules if you'd like to see, though the above
>>>> I think might suffice: http://fnpaste.com/qprP
>>>>
>>>> Thank you in advance for your help!
>>> That is more complicated than it needs to be. Also, you have a NETMAP
>>> rule in there which is probably causing problems.
>>>
>>> Try getting rid of that and replacing all the FORWARD rules with this:
>>>
>>> -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A
>>> FORWARD -i enp4s5 -s 10.1.1.0/24 -j ACCEPT -A FORWARD -i wlp2s0 -s
>>> 10.1.2.0/24 -j ACCEPT -A FORWARD -j REJECT
>>>
>>>
>> Thank you for responding! I have done as you suggested. Is this
>> closer http://fnpaste.com/goQN to what you were suggesting? It's
>> still not working.
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter"
>> in the body of a message to majordomo@vger.kernel.org More majordomo
>> info at http://vger.kernel.org/majordomo-info.html
>> N�����r��y���b�X��ǧv�^�){.n�+���z���{ay�\x1dʇڙ�,j\a��f���h���z�\x1e�w���\f���j:+v���w�j�m����\a����zZ+�����ݢj"��!tml=
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2018-02-16 16:14 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <9835afd2-74b0-e5a8-e812-898869b06ad3@bak.rr.com>
2018-02-16 2:25 ` using iptables to route between subnets A
2018-02-16 4:15 ` zrm
2018-02-16 5:53 ` A
2018-02-16 9:08 ` SV: " André Paulsberg-Csibi (IBM Consultant)
2018-02-16 16:13 ` A
2018-02-16 16:14 ` A
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.