Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




23268 posts

Uber Geek

Trusted
Subscriber

#41968 26-Sep-2009 16:37
Send private message

need to get something on my firewall machine that is between my lan and my flatmates.

3 active nics in it now, one to the adsl router, one to my PC's, one to my flatmates lan.

Its the default gateway for my lan, and is natting everything to the adsl router as that is the degault gateway.

I need it to just route between my network and the flatmates, a static route willbe made on his machines to my machine

eth0  - my internal lan
192.168.1.1 255.255.255.0


eth2 - my adsl router
10.20.0.10  255.255.255.0
gateway is 10.20.0.1 (my adsl router)

eth3 - on flatmates lan
10.30.0.10 - 255.255.255.0

no gateway or all my traffic goes on his internet.


I have a file from iptables-save that I pipe to iptables-resore




# Generated by iptables-save v1.2.11 on Tue May 16 22:13:55 2006
*raw
:PREROUTING ACCEPT [67917:13329159]
:OUTPUT ACCEPT [12676:1026290]
COMMIT

*nat
:PREROUTING ACCEPT [3927:262748]
:POSTROUTING ACCEPT [158:10907]
:OUTPUT ACCEPT [158:10907]

(whole heap of portfowards)


-A POSTROUTING -s 192.168.1.0/255.255.255.0 -j MASQUERADE

COMMIT
# Completed on Tue May 16 22:13:55 2006
# Generated by iptables-save v1.2.11 on Tue May 16 22:13:55 2006
*mangle
:PREROUTING ACCEPT [67918:13329251]
:INPUT ACCEPT [12931:2572624]
:FORWARD ACCEPT [54977:10755022]
:OUTPUT ACCEPT [12676:1026290]
:POSTROUTING ACCEPT [67653:11781312]
COMMIT
# Completed on Tue May 16 22:13:55 2006
# Generated by iptables-save v1.2.11 on Tue May 16 22:13:55 2006
*filter
:INPUT ACCEPT [12931:2572624]
:FORWARD ACCEPT [54977:10755022]
:OUTPUT ACCEPT [12676:1026290]
COMMIT
# Completed on Tue May 16 22:13:55 2006




Im assuming that I need to change the line in bold to something else or put something ahead of it to say not to nat stuff to the 10.30.0.0/24 range, but am not sure what exactly.




Richard rich.ms

Create new topic
7 posts

Wannabe Geek


  #259263 29-Sep-2009 09:01

-A POSTROUTING -s 192.168.1.0/24 -d ! 10.20.0.0/24 -j MASQUERADE -o eth2
-A FORWARD -i eth0 -o eth3 -s 192.168.1.0/24 -d 10.20.0.0/24 -j ACCEPT

I'm far from an expert but does this work? (Replacing the line in bold)

897 posts

Ultimate Geek

Subscriber

  #259907 30-Sep-2009 22:43
Send private message

How did you go with this? I'm not much of a fan of iptables-save/restore.  Prefer to see rules through iptables -L and setting them up in scripts.

One thing to make sure is you have enabled ip_forwarding otherwise traffic from one lan, destined for another will not be forwarded regardless of rules.

I've made a very basic quick firewall script you may be able to use if you want. Completely untested so your mileage may vary :)

Also if your linux box is the default gateway for all machines on either network, then there is no need for static routes :) as each pc will send data to the linux box as the default gateway which then will forward to the correct network.

 
 
 
 




23268 posts

Uber Geek

Trusted
Subscriber

  #263179 10-Oct-2009 21:49
Send private message

I finally got around to trying that, it failes on line 63 which is

-A FORWARD -i eth0 -o eth3 -s 192.168.1.0/24 -d 10.20.0.0/24 -j ACCEPT


Seems to be happy with this lot however and it seems to do what I want, havent checked that there is no internet access from the flatmates side yet.

-A PREROUTING -s 10.30.0.1/24 -d ! 192.168.1.0/24 -j DROP
-A POSTROUTING -s 10.30.0.1/24 -d 192.168.1.0/24 -j ACCEPT
-A POSTROUTING -s 192.168.0.1/24 -d 10.30.0.1/24 -j ACCEPT
-A POSTROUTING -s 192.168.1.0/24 -d ! 192.168.1.0/24 -j MASQUERADE






Richard rich.ms

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Samsung Announces 2020 QLED TV Range
Posted 20-May-2020 16:29


D-Link A/NZ launches AI-Powered body temperature measuring system
Posted 20-May-2020 16:22


NortonLifeLock Online Banking Protection now available for New Zealand banks
Posted 20-May-2020 16:14


SD Express delivers new gigabyte speeds for SD memory cards
Posted 20-May-2020 15:00


D-Link A/NZ launches Nuclias cloud managed network solution hosted in Australia
Posted 11-May-2020 17:53


Logitech introduces new video streaming solution for home studios
Posted 11-May-2020 17:48


Next generation Volvo cars to be powered by Luminar LiDAR technology
Posted 7-May-2020 13:56


D-Link A/NZ launches Wi-Fi Certified EasyMesh system
Posted 7-May-2020 13:51


Spark teams up with Microsoft to bring Xbox All Access to New Zealand
Posted 7-May-2020 13:01


Microsoft plans to establish its first datacenter region in New Zealand
Posted 6-May-2020 11:35


Genesis School-gen has joined forces with Mind Lab Kids
Posted 1-May-2020 12:53


Malwarebytes expands into privacy with fast, frictionless VPN
Posted 30-Apr-2020 16:06


Kordia to donate TV airtime on Channel 200 to community groups
Posted 30-Apr-2020 16:00


OPPO A91 is a high specs mid-range smartphone
Posted 23-Apr-2020 16:44


NordVPN rolling out NordLynx new generation VPN protocol based on WireGuard
Posted 23-Apr-2020 16:37



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.