1

Hello I am trying to use a linux machine as gateway for other machines in the same network using iptables, these are the configurations related to both machines:

  • Machine A (This is the one I want to use as gateway)
root@router-1:~# sysctl -p
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

root@router-1:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether f2:3c:91:58:5b:fb brd ff:ff:ff:ff:ff:ff
    inet 172.105.89.xxx/24 brd 172.105.89.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet 192.168.159.203/17 brd 192.168.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a01:7e01::f03c:91ff:fe58:5bfb/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 2591978sec preferred_lft 604778sec
    inet6 fe80::f03c:91ff:fe58:5bfb/64 scope link 
       valid_lft forever preferred_lft forever

And I have the following iptables rules:

# Generated by iptables-save v1.6.1 on Thu Aug  1 06:42:26 2019
*mangle
:PREROUTING ACCEPT [729:54316]
:INPUT ACCEPT [729:54316]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [539:62761]
:POSTROUTING ACCEPT [539:62761]
COMMIT
# Completed on Thu Aug  1 06:42:26 2019
# Generated by iptables-save v1.6.1 on Thu Aug  1 06:42:26 2019
*filter
:INPUT ACCEPT [493:36634]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [373:47212]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Aug  1 06:42:26 2019
# Generated by iptables-save v1.6.1 on Thu Aug  1 06:42:26 2019
*nat
:PREROUTING ACCEPT [28:1501]
:INPUT ACCEPT [28:1501]
:OUTPUT ACCEPT [5:397]
:POSTROUTING ACCEPT [2:161]
-A POSTROUTING -s 192.168.128.0/17 ! -d 192.168.128.0/17 -j MASQUERADE
COMMIT
# Completed on Thu Aug  1 06:42:26 2019
  • Machine B:
root@client:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether f2:3c:91:58:5b:62 brd ff:ff:ff:ff:ff:ff
    inet 192.168.157.248/17 brd 192.168.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2a01:7e01::f03c:91ff:fe58:5b62/64 scope global mngtmpaddr dynamic 
       valid_lft 2591988sec preferred_lft 604788sec
    inet6 fe80::f03c:91ff:fe58:5b62/64 scope link 
       valid_lft forever preferred_lft forever

root@client:~# ip r
default via 192.168.159.203 dev eth0 onlink 
192.168.128.0/17 dev eth0 proto kernel scope link src 192.168.157.248

root@client:~# ping 192.168.159.203
PING 192.168.159.203 (192.168.159.203) 56(84) bytes of data.
64 bytes from 192.168.159.203: icmp_seq=1 ttl=64 time=0.773 ms

So the client machine can ping the gateway machine as they are in the same subnet but any other IP outside of the subnet is not reachable.

Improve this question
5
  • Is IP Forwarding enabled on the gateway ? You can check it with : sysctl net.ipv4.ip_forward. If it show 0 then you have to enable it with sysctl -w net.ipv4.ip_forward=1 or echo 1 > /proc/sys/net/ipv4/ip_forward. To make these changes permanent : write net.ipv4.ip_forward = 1 in /etc/sysctl.conf, then sysctl -p /etc/sysctl.conf. You may need to restart the network. Commented Aug 1, 2019 at 9:37
  • Yes sorry I forgot to mention that, let me update the question Commented Aug 1, 2019 at 9:38
  • did you consider the fact that everything from 192.168.128.1 to 192.168.255.254 is considered to be on the local net and not subject to Routing due to the /17 netmask? which addresses did you use to test for outside Connection? Commented Aug 1, 2019 at 9:45
  • I did test many public IPs like the one given by: nslookup google.es (216.58.201.163). What sounds interesting is the fact you mention about the internal network, I don't really know which rules should I use to achieve the goal of having this machine A as a router for the other machines but I guess that is possible no ? Commented Aug 1, 2019 at 9:48
  • Sure. Any IP outside the range i mentioned will do. Try to use 'tcpdump -v -s0 -X -e eth0' on the router machine, and check source- and destination addresses of the outgoing packets. Also check if the Gateway set as Default (propably 172.105..) on the router can be reached from there. Commented Aug 1, 2019 at 11:19

2 Answers 2

Reset to default
0

You may need to SNAT (Source NAT) your internal network:

-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 192.168.158.203/17 -j SNAT --to-source 172.105.89.xxx/24

Where '.89.xxx' is the public IP address you'd like to use from your public IP address range for outbound connections.

Improve this answer
0

At the end, I found out my configuration was ok.

The problem was the provider which blocks the traffic to avoid spoofing.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.