7

My problem is forward packets from eth2 that is my LAN to eth1 that has access to internet, to allow eth2 to access to internet, here my configuration:

auto eth1
iface eth1 inet static
    address 192.168.3.1
    netmask 255.255.255.0
    network 192.168.3.0
    broadcast 192.168.3.255
    gateway 192.168.3.254

auto eth2
iface eth2 inet static
    address 10.101.26.1
    netmask 255.255.0.0
    network 10.101.0.0
    broadcast 10.101.255.255

iptables configuration:

iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT

Already uncomment net.ipv4.ip forward=1 in /etc/sysctl.conf and write 1 in /proc/sys/net/ipv4/ip_forward.

If i test with a PC connected on LAN that have as gateway 10.101.26.1 I can't reach internet, so how I can solve this?

Thank you for any help! Regards

Improve this question
1
  • If you have a PC behind eth1, it must be on the same subnet as eth1, and the default gateway must be eth1's IP, not eth2's IP.
    – LawrenceC
    Commented Jul 12, 2015 at 20:06

2 Answers 2

Reset to default
10

You'll need some sort of masquerading statement. The reason behind this is that, currently, packets arriving from eth2 to eth1 are identified by 10.101.0.0/16 addresses. Those 10.101.0.0/16 packets then attempt to traverse the network via eth1 (192.168.3.0/24). This fails because those packets haven't yet been masqueraded as packets from 192.168.3.1.

A little script like this below should help. Modify as necessary:

#! /bin/bash

IPTABLES=/sbin/iptables

WANIF='eth1'
LANIF='eth2'

# enable ip forwarding in the kernel
echo 'Enabling Kernel IP forwarding...'
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains
echo 'Flushing rules and deleting existing chains...'
$IPTABLES -F
$IPTABLES -X

# enable masquerading to allow LAN internet access
echo 'Enabling IP Masquerading and other rules...'
$IPTABLES -t nat -A POSTROUTING -o $LANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $WANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -j ACCEPT

echo 'Done.'
Improve this answer
1
  • With a usb to ethernet adapter on a sbc this made for a simple isolated network I needed inside my LAN. Allows machines therein to access resources on the LAN and even internet. If the WAN is to be internet facing then you should be using a full firewall like firehol. I made a little repo with systemd service file to make this easy to deploy, persist and turn on and off. github.com/dkebler/masquerade
    – DKebler
    Commented May 7, 2020 at 15:17
0

Based on your description, I am assuming your PC is behind a router and eth1 is connected to the Internet via the router. You would have to create a static route on your router to 10.101.0.0/16 via 192.168.3.1 so that reply packets destined to said network can be forwarded to your PC.

Improve this answer
14
  • 192.168.3.1 can reach internet, I need to forward any packets from 10.101.0.0/16 to 192.168.3.1 and vice versa. How i can create this static rule? I've already tried with this: > route add -net 10.101.0.0 netmask 255.255.0.0 gw 192.168.3.254
    – Ghilander
    Commented Jul 10, 2015 at 9:29
  • @Ghilander: Create the static route on your router. It's not a firewall rule.
    – Larssend
    Commented Jul 10, 2015 at 9:30
  • can you show me an example please?
    – Ghilander
    Commented Jul 10, 2015 at 9:34
  • @Ghilander: Create a static route that's equivalent to route add -net 10.101.0.0/16 gw 192.168.3.1 on the router (i.e.192.168.3.254).
    – Larssend
    Commented Jul 10, 2015 at 9:35
  • @Ghilander: Or just use the router's admin page. Consult the user's manual on how to add static routing entry.
    – Larssend
    Commented Jul 10, 2015 at 9:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .