Saturday, August 11, 2012

Route and NAT with Linux

Getting  a system to route is fairly easy.    If your just interested in seeing the commands as a reminder, I have the examples at the bottom...if some of this is foreign and you need the context, keep reading.

It takes about three or four modifications before you're up and running, the first step will be to modify your running kernel to allow IP forwarding.  First, modify your /etc/sysctl.conf file, and change net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1.
Run sysctl -p to force the system to load the changes immediately.  After the kernel is taken care of, we just need to tell your iptables chain what to do with packets.

First we need to add the following rules.  I usually edit the /etc/sysconfig/iptables manually for this to ensure these statements go above the reject statements.

iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT


Red Hat suggests differently, here's how their instructions read:

iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT


I've found a number of combinations that will work... or won't, but I'll leave you to figure out why, the below will be a pretty good hint though.  From another site, this is what is sugguested:

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT


The philosophy here should be made obvious by the keywords "RELATED,ESTABLISHED". One side is a public side which should not readily accept connections that have not been previously established. My home lab has adjacent inside networks, both of which are trusted, so this is not the method I use - but good to keep in mind.

This is bear bones routing.  Anything talking across this server, will need a route to do so.  If you're going to use the example immediately above for an inside/outside network setup, you'll likely want to NAT as well.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save


Note: iptables are saved automatically if you edit the file directly and and restart the service. If you use a GUI tool to modify your firewall, be cautious, it will write over your iptables file.

You also have the option to redirect an incoming request to another server.  I used NFS to test, though this is not a likely service to be available to an outside network.

Just for extra measure, I made sure that my nfs share was only available to my system that was doing the masquerading.

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2049 -j DNAT\
 --to-destination 192.168.99.11:2049
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 111 -j DNAT\
 --to-destination 192.168.99.11:111
service iptables save


In my setup, station11 has a share called public on the root directory - but only to station12.  Station12 is redirecting... and NATing.  I was able to mount station12:/public, from station13. I used this set up because I could verify that routing was working per the network seperation between stations 11 and 13.  I could tell masquerading (NATing) was working because station13 has no permissions to mount that share directly (I even tested with just routing to be sure).

With an inside/outside network setup with masquerading, I would use my routing server as the default gateway for my inside systems.  If I'm just routing between internal networks, then I create routes, like this:

echo "192.168.101.0/24 via 192.168.99.12"\
 > /etc/sysconfig/network-scripts/route-eth0

This states, "if the IP packet needs to go to the 101 network, just send it to IP address 192.168.99.12, he knows what to do."



To sum:

For routing -
change /etc/sysctl.conf's net.ipv4.ip_forward = 0 to net.ipv4.ip_forward = 1.

Add the following to /etc/sysconfig/iptables before any of the reject statements:
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT


For masquerading:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
service iptables save


For port redirection (example: NFS)
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 2049 -j DNAT\
 --to-destination 192.168.99.11:2049
iptables -t nat -A PREROUTING -i eth1 -p udp --dport 111 -j DNAT\

 --to-destionation 192.168.99.11:111

1 comment: