* VLAN et iptables
@ 2010-04-03 3:57 Jeetu Golani
2010-04-03 5:46 ` elko
[not found] ` <20100403080147.04d1add3@catlap>
0 siblings, 2 replies; 4+ messages in thread
From: Jeetu Golani @ 2010-04-03 3:57 UTC (permalink / raw)
To: netfilter; +Cc: Arun Khan, Erle Pereira
Hi,
I have a Debian system that I am trying to configure as a router for a MPLS
VPN setup. I'm having trouble setting up the iptables rules to forward
internet traffic from remote locations. Admittedly this isn't my forte
therefore I would sincerely appreciate any help :)
Network Description:
At the head office, the ISP facing router has two physical NICs (eth0 and
eth1).
eth0 is connected to the head office "local" LAN 192.168.0.0/24.
eth1 has two VLAN interfaces 105 and 689 (vlan105 and vlan689)
connecting to the Service Provider's (SP) Network
Termination Unit (NTU)
vlan105 carries VPN traffic coming in from remote locations e.g two
LANs subnets over MPLS VPN (a) 192.168.1.0/24 and (b) 172.16.0.0/16
vlan689 carries company <> INTERNET traffic
Internet access for "remote" locations, all Internet traffic comes to
above router over vlan105 sub interface and have it SNAT'd/Masquerade
to the Internet over vlan689 interface.
---------------------
The following is the iptables script I have tried however it doesn't work:
INTIF1="eth0" # physical interface for local LAN
INTIF2="vlan105" # VLAN iface for VPN traffic to remote location
EXTIF="vlan689" # VLAN iface for INTERNET traffic
EXTIP="x.x.x.x" #public IP for our CE router
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
# for Matunga subnet 192.168.0.0/24
iptables -A FORWARD -i $EXTIF -o $INTIF1 -d 192.168.0.0/24 -m state --
state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF1 -o $EXTIF -s 192.168.0.0/24 -m -j
ACCEPT
# for Silvassa subnet 172.16.0.0/16
iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 172.16.0.0/16 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 172.16.0.0/16 -m -j ACCEPT
# for Colaba subnet 192.168.1.0/24
iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 192.168.1.0/24 -m state --
state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 192.168.1.0/24 -m -j
ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
--------------------------------------------
Would sincerely appreciate any help. Thanks
Bye for now
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VLAN et iptables
2010-04-03 3:57 VLAN et iptables Jeetu Golani
@ 2010-04-03 5:46 ` elko
[not found] ` <20100403080147.04d1add3@catlap>
1 sibling, 0 replies; 4+ messages in thread
From: elko @ 2010-04-03 5:46 UTC (permalink / raw)
To: Jeetu Golani; +Cc: netfilter, Arun Khan, Erle Pereira
What you have as output of
ifconfig
I cannot see your vlan interfaces in iptabels ?
Best regards,
Elko
On Sat, 2010-04-03 at 09:27 +0530, Jeetu Golani wrote:
> Hi,
>
> I have a Debian system that I am trying to configure as a router for a MPLS
> VPN setup. I'm having trouble setting up the iptables rules to forward
> internet traffic from remote locations. Admittedly this isn't my forte
> therefore I would sincerely appreciate any help :)
>
> Network Description:
> At the head office, the ISP facing router has two physical NICs (eth0 and
> eth1).
>
> eth0 is connected to the head office "local" LAN 192.168.0.0/24.
>
> eth1 has two VLAN interfaces 105 and 689 (vlan105 and vlan689)
> connecting to the Service Provider's (SP) Network
> Termination Unit (NTU)
>
> vlan105 carries VPN traffic coming in from remote locations e.g two
> LANs subnets over MPLS VPN (a) 192.168.1.0/24 and (b) 172.16.0.0/16
>
> vlan689 carries company <> INTERNET traffic
>
> Internet access for "remote" locations, all Internet traffic comes to
> above router over vlan105 sub interface and have it SNAT'd/Masquerade
> to the Internet over vlan689 interface.
> ---------------------
>
> The following is the iptables script I have tried however it doesn't work:
>
> INTIF1="eth0" # physical interface for local LAN
> INTIF2="vlan105" # VLAN iface for VPN traffic to remote location
> EXTIF="vlan689" # VLAN iface for INTERNET traffic
> EXTIP="x.x.x.x" #public IP for our CE router
>
> /sbin/depmod -a
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_conntrack_irc
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_nat_ftp
> echo "1" > /proc/sys/net/ipv4/ip_forward
> #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> iptables -P INPUT ACCEPT
> iptables -F INPUT
> iptables -P OUTPUT ACCEPT
> iptables -F OUTPUT
> iptables -P FORWARD DROP
> iptables -F FORWARD
>
> iptables -t nat -F
>
> # for Matunga subnet 192.168.0.0/24
> iptables -A FORWARD -i $EXTIF -o $INTIF1 -d 192.168.0.0/24 -m state --
> state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $INTIF1 -o $EXTIF -s 192.168.0.0/24 -m -j
> ACCEPT
>
> # for Silvassa subnet 172.16.0.0/16
> iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 172.16.0.0/16 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 172.16.0.0/16 -m -j ACCEPT
>
> # for Colaba subnet 192.168.1.0/24
> iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 192.168.1.0/24 -m state --
> state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 192.168.1.0/24 -m -j
> ACCEPT
>
> iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> --------------------------------------------
>
> Would sincerely appreciate any help. Thanks
>
> Bye for now
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VLAN et iptables
[not found] ` <20100403080147.04d1add3@catlap>
@ 2010-04-03 7:58 ` Jeetu Golani
2010-04-05 6:02 ` Pieter Smit
0 siblings, 1 reply; 4+ messages in thread
From: Jeetu Golani @ 2010-04-03 7:58 UTC (permalink / raw)
To: Marek Kierdelewicz; +Cc: netfilter, elko, Arun Khan, Erle Pereira
Hi Elko / Marek,
Thank you so much for replying back.
I've pasted down below the ifconfig output and the routing table at the router
in the head office.
The routers can ping each other, they can also ping their respective PE's. The
router at the head office, where we have the iptables script, can ping both
the VPN PE and the gateway for the public IP.
Furthermore if all we have are the following rules, the HO LAN 192.168.0.0
can reach the public gateway and surf the internet, the remote locations
can't:
iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
With the script I had posted earlier none of the locations can reach the
public gateway.
Truly appreciate all the help.
Regards,
Jeetu
http://www.ebrain.in
- An open (GPL) platform to discover and run software off someone in the
meshed network pool and use it on your own device.
twitter: @0topcat0 and @ebrainpool
--------------------------------
ifconfig output:
eth0 Link encap:Ethernet HWaddr 00:27:0e:16:e1:a5
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::227:eff:fe16:e1a5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:482754 errors:0 dropped:0 overruns:0 frame:0
TX packets:743399 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38759551 (36.9 MiB) TX bytes:1024701055 (977.2 MiB)
Interrupt:27 Base address:0xe000
eth1 Link encap:Ethernet HWaddr 00:e0:1c:3b:a0:c1
inet6 addr: fe80::2e0:1cff:fe3b:a0c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1750085 errors:0 dropped:0 overruns:0 frame:0
TX packets:623003 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1103786909 (1.0 GiB) TX bytes:48633230 (46.3 MiB)
Interrupt:21 Base address:0x6000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:157 errors:0 dropped:0 overruns:0 frame:0
TX packets:157 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:17134 (16.7 KiB) TX bytes:17134 (16.7 KiB)
vlan105 Link encap:Ethernet HWaddr 00:e0:1c:3b:a0:c1
inet addr:10.235.122.158 Bcast:10.235.122.159
Mask:255.255.255.252
inet6 addr: fe80::2e0:1cff:fe3b:a0c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:68906 errors:0 dropped:0 overruns:0 frame:0
TX packets:68917 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3445300 (3.2 MiB) TX bytes:3170595 (3.0 MiB)
#public IP
vlan689 Link encap:Ethernet HWaddr 00:e0:1c:3b:a0:c1
inet addr: a.b.c.d Bcast:a.b.c.(d+1) Mask:255.255.255.252
inet6 addr: fe80::2e0:1cff:fe3b:a0c1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:826133 errors:0 dropped:0 overruns:0 frame:0
TX packets:554080 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1022440202 (975.0 MiB) TX bytes:42842359 (40.8 MiB)
------------------------------------------------------------------
Kernel IP routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.235.122.186 0.0.0.0 255.255.255.255 UH 0 0 0
vlan105
10.235.122.94 0.0.0.0 255.255.255.255 UH 0 0 0
vlan105
a.b.c.16 0.0.0.0 255.255.255.252 U 0 0 0 vlan689
10.235.122.156 0.0.0.0 255.255.255.252 U 0 0 0
vlan105
192.168.1.0 10.235.122.94 255.255.255.0 UG 0 0 0
vlan105
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.16.0.0 10.235.122.186 255.255.0.0 UG 0 0 0
vlan105
0.0.0.0 a.b.c.17 0.0.0.0 UG 0 0 0 vlan689
On Saturday 03 April 2010, Marek Kierdelewicz wrote:
> > Hi,
>
> Hi Jeetu,
>
> >I have a Debian system that I am trying to configure as a router for a
> >Network Description:
> >At the head office, the ISP facing router has two physical NICs (eth0
> >and eth1).
>
> Your script looks good. It's probably on purpose but in current setup
> you won't be able to reach one private subnet from another.
>
> Just to be sure - if you want the box to act as a router for subnets
> 192.168.1.0/24 and 172.16.0.0/16 then you need ip addresses from these
> subnets on vlan105 interface.
>
> Regards,
> Marek
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: VLAN et iptables
2010-04-03 7:58 ` Jeetu Golani
@ 2010-04-05 6:02 ` Pieter Smit
0 siblings, 0 replies; 4+ messages in thread
From: Pieter Smit @ 2010-04-05 6:02 UTC (permalink / raw)
To: Jeetu Golani; +Cc: netfilter
Hi Jeetu,
My suggestion, simplify your rules a little.
1. Start with a single rule to allow established connections.
2. You seem to have a extra [-m] in the subnet rules. (Could add -m
state --state NEW)
3. Adding a log rule to the end of the Forward table and looking at
non matched packets could help you see what the problem might be.
# for all subnets
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# for Matunga subnet 192.168.0.0/24
iptables -A FORWARD -i $INTIF1 -o $EXTIF -s 192.168.0.0/24 -j ACCEPT
# for Silvassa subnet 172.16.0.0/16
iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 172.16.0.0/16 -j ACCEPT
# for Colaba subnet 192.168.1.0/24
iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 192.168.1.0/24 -j ACCEPT
Regards,
Pieter
On Sat, Apr 3, 2010 at 9:58 AM, Jeetu Golani <jeetu.golani@gmail.com> wrote:
> Hi Elko / Marek,
>
> Thank you so much for replying back.
>
> I've pasted down below the ifconfig output and the routing table at the router
> in the head office.
>
> The routers can ping each other, they can also ping their respective PE's. The
> router at the head office, where we have the iptables script, can ping both
> the VPN PE and the gateway for the public IP.
>
> Furthermore if all we have are the following rules, the HO LAN 192.168.0.0
> can reach the public gateway and surf the internet, the remote locations
> can't:
>
> iptables -A FORWARD -i $EXTIF -o $INTIF1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
> iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
>
> iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> With the script I had posted earlier none of the locations can reach the
> public gateway.
>
> Truly appreciate all the help.
>
> Regards,
> Jeetu
> http://www.ebrain.in
> - An open (GPL) platform to discover and run software off someone in the
> meshed network pool and use it on your own device.
>
> twitter: @0topcat0 and @ebrainpool
>
>
>
> --------------------------------
> ifconfig output:
>
> eth0 Link encap:Ethernet HWaddr 00:27:0e:16:e1:a5
> inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
> inet6 addr: fe80::227:eff:fe16:e1a5/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:482754 errors:0 dropped:0 overruns:0 frame:0
> TX packets:743399 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:38759551 (36.9 MiB) TX bytes:1024701055 (977.2 MiB)
> Interrupt:27 Base address:0xe000
>
> eth1 Link encap:Ethernet HWaddr 00:e0:1c:3b:a0:c1
> inet6 addr: fe80::2e0:1cff:fe3b:a0c1/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:1750085 errors:0 dropped:0 overruns:0 frame:0
> TX packets:623003 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:1103786909 (1.0 GiB) TX bytes:48633230 (46.3 MiB)
> Interrupt:21 Base address:0x6000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:157 errors:0 dropped:0 overruns:0 frame:0
> TX packets:157 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:17134 (16.7 KiB) TX bytes:17134 (16.7 KiB)
>
> vlan105 Link encap:Ethernet HWaddr 00:e0:1c:3b:a0:c1
> inet addr:10.235.122.158 Bcast:10.235.122.159
> Mask:255.255.255.252
> inet6 addr: fe80::2e0:1cff:fe3b:a0c1/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:68906 errors:0 dropped:0 overruns:0 frame:0
> TX packets:68917 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:3445300 (3.2 MiB) TX bytes:3170595 (3.0 MiB)
>
> #public IP
> vlan689 Link encap:Ethernet HWaddr 00:e0:1c:3b:a0:c1
> inet addr: a.b.c.d Bcast:a.b.c.(d+1) Mask:255.255.255.252
> inet6 addr: fe80::2e0:1cff:fe3b:a0c1/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:826133 errors:0 dropped:0 overruns:0 frame:0
> TX packets:554080 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1022440202 (975.0 MiB) TX bytes:42842359 (40.8 MiB)
> ------------------------------------------------------------------
>
> Kernel IP routing table:
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 10.235.122.186 0.0.0.0 255.255.255.255 UH 0 0 0
> vlan105
> 10.235.122.94 0.0.0.0 255.255.255.255 UH 0 0 0
> vlan105
> a.b.c.16 0.0.0.0 255.255.255.252 U 0 0 0 vlan689
> 10.235.122.156 0.0.0.0 255.255.255.252 U 0 0 0
> vlan105
> 192.168.1.0 10.235.122.94 255.255.255.0 UG 0 0 0
> vlan105
> 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
> 172.16.0.0 10.235.122.186 255.255.0.0 UG 0 0 0
> vlan105
> 0.0.0.0 a.b.c.17 0.0.0.0 UG 0 0 0 vlan689
>
>
>
> On Saturday 03 April 2010, Marek Kierdelewicz wrote:
>> > Hi,
>>
>> Hi Jeetu,
>>
>> >I have a Debian system that I am trying to configure as a router for a
>> >Network Description:
>> >At the head office, the ISP facing router has two physical NICs (eth0
>> >and eth1).
>>
>> Your script looks good. It's probably on purpose but in current setup
>> you won't be able to reach one private subnet from another.
>>
>> Just to be sure - if you want the box to act as a router for subnets
>> 192.168.1.0/24 and 172.16.0.0/16 then you need ip addresses from these
>> subnets on vlan105 interface.
>>
>> Regards,
>> Marek
>>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-04-05 6:02 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-04-03 3:57 VLAN et iptables Jeetu Golani
2010-04-03 5:46 ` elko
[not found] ` <20100403080147.04d1add3@catlap>
2010-04-03 7:58 ` Jeetu Golani
2010-04-05 6:02 ` Pieter Smit
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.