iptables, NAT and multiple subnets - how?

#1 (**permalink**) 10-06-2003

NOTE: I originally tried to post this on 10/04/2003 under a different
subject but don't know if it went through as I never saw it on my
ISP's server. If any of you see this twice I apologize.

------Original Post------
Hi Folks,

I have spent several hours searching Google and TLDP for an answer to
my question but can't find what I need. In a nutshell here is the
setup:

[Public Internet]
||
Cisco 3640 <-> (public IP)Linux Firewall(172.16.128.7) +-> 172.16.128.0
|| +
Frame Relay <------------------------------------------+
||
|+ <-----------------------------------------------> 192.168.0.0
||
|+ <-----------------------------------------------> 172.16.64.0
etc.

The Cisco 3640 has two interfaces from what I've been told (the box
is in a location about 200 miles from here) with one going to the
internet and the other, using multiple sub interfaces, handling Frame
Relay on the private IP space.

Question: How do I configure the firewall (iptables on 2.4.21 kernel)
to NAT for the private IP space other than 172.16.128.0? I can ping
the addresses in 172.16.128.0 all day but if I login to the firewall
box and try to ping 192.168.0.203 (a linux box sitting in one of the
remote locations) through the 172.16.128.7 interface I get "ping:
sendmsg: Operation not permitted". I'm fairly sure this has to do with
my iptables rules but don't know how to get it working. I am using the
firewall rules from here:

http://makeashorterlink.com/?P64625A16

(Goes to the "stronger firewall" in the "Linux IP Masquerade HOWTO")

The only changes I made were to put in the IP address for the 172.x
interface and to allow ssh incoming on the public interface for remote
support from my office and from the IT administrator's home.

Here is a copy of the "iptables -L" output:

[root@firewall root]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 172.16.128.0/26 anywhere
drop-and-log-it all -- 172.16.128.0/26 anywhere
ACCEPT icmp -- anywhere firewall.msco.UUCP
ACCEPT all -- anywhere firewall.msco.UUCP state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere firewall.msco.UUCP state NEW,RELATED,ESTABLISHED tcp dpt:ssh
drop-and-log-it all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
drop-and-log-it all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- firewall.msco.UUCP 172.16.128.0/26
ACCEPT all -- 172.16.128.0/26 172.16.128.0/26
drop-and-log-it all -- anywhere 172.16.128.0/26
ACCEPT all -- firewall.msco.UUCP anywhere
drop-and-log-it all -- anywhere anywhere

Chain drop-and-log-it (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info
DROP all -- anywhere anywhere

What document have I missed that will show me how to get this going?
A link to a Google Groups discussion that shows how to resolve this
would be good too. Of course I will always just accept an outright
answer. :-)

In the interim I'll keep searching the 'net.

BTW, if anyone intends to reply by e-maul (intentional misspelling)
please use the de-spammed address below. The e-mail address on this
post is real but everything going to it is simply deleted on the POP
server and I never see it.

TIA!
Gene (e-mail: gene \a\t eracc \d\o\t com)
--
Linux era1.eracc.UUCP 2.4.21-0.13mdk i686
11:40:29 up 40 days, 15:18, 10 users, load average: 0.47, 0.28, 0.20
ERA Computer Consulting - http://www.eracc.com/
eCS, OS/2, Mandrake GNU/Linux, OpenServer & UnixWare resellers

#2 (**permalink**) 10-07-2003

On Mon, 06 Oct 2003 11:50:43 -0500, ERACC wrote:

> NOTE: I originally tried to post this on 10/04/2003 under a different
> subject but don't know if it went through as I never saw it on my ISP's
> server. If any of you see this twice I apologize.
>
> ------Original Post------
> Hi Folks,
>
> I have spent several hours searching Google and TLDP for an answer to my
> question but can't find what I need. In a nutshell here is the setup:
>
> [Public Internet]
> ||
> Cisco 3640 <-> (public IP)Linux Firewall(172.16.128.7) +-> 172.16.128.0
> || +
> Frame Relay <------------------------------------------+
> ||
> |+ <-----------------------------------------------> 192.168.0.0
> ||
> |+ <-----------------------------------------------> 172.16.64.0
> etc.
[...]

The answer is to add a rule for each subnet like so:

$IPTABLES -A INPUT -i $INTIF -s 192.168.0.0/255.255.255.0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d 192.168.0.0/255.255.255.0 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d 192.168.0.0/255.255.255.0 -j ACCEPT

A simple answer but, IMNSHO, not obvious to anyone learning to config
iptables for multiple subnets for the first time. :-/

Gene (e-mail: gene \a\t eracc \d\o\t com)
--
Linux era1.eracc.UUCP 2.4.21-0.13mdk i686
17:25:32 up 40 days, 21:03, 10 users, load average: 0.12, 0.16, 0.15
ERA Computer Consulting - http://www.eracc.com/
eCS, OS/2, Mandrake GNU/Linux, OpenServer & UnixWare resellers

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode