top button
Flag Notify
    Connect to us
      Facebook Login
      Site Registration Why to Join

Facebook Login
Site Registration
Print Preview

How to set multihop gateway rules for forward table?

+1 vote
69 views

My network is like this:

GW+DHCP 192.168.1.1, eth0:192.168.100.1 eth1:192.168.168.1.1
HOST1+DHCP 192.168.1.100, eth0:192.168.1.100 eth1:192.168.2.1
CLIENT1 192.168.2.100

There is a double NAT here at both GW and HOST1. The DHCP from GW is only towards the eth1 network and subnet. The DHCP from HOST1 is only towards eth1.
In GW there is a masquerade rule which works fine and allows all forwarded packets.

I do not want packets from clients in the CLIENT1 side of the network to get access using the nat to the local network resources but that they will have access to the internet using GW. So basically I want to allow all forwarded traffic from the 192.168.2.0/24 network to be allowed to all networks but not the localnet and the local GW resources.

I am a bit in a conflict in it since the next rules should work or at least should do the trick..:

-A FORWARD -s 192.168.2.0/24 -i eth1 -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -p icmp -j ACCEPT
-A FORWARD -s 192.168.2.0/24 -i eth1 -p tcp -m multiport --dports 53,443,80,21,22,23,110,25,143,995,993,3128,8080 -j ACCEPT
-A FORWARD ! -i eth1 -m state --state NEW -j DROP
-A FORWARD -o eth1 -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -j DROP

Before I press the "save" button I would like for someone else to take a small look at it.

posted Aug 3, 2013 by Abhay Kulkarni

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button Google+ Share Button LinkedIn Share Button Multiple Social Share Button

Similar Questions
+1 vote

Is there a way to find out if there any iptables rules set on a machine ?

There are some indirect ways which will not always work; for example, I know that on most hosts, iptables -S will return the following output (when no iptable rules are set)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

So you can check whether or not the number of output lines is greater than 3 (as an indication of whether or not iptables rules are set). But there are hosts on which there are more chains then these 3; these chains are set by application/services, even without any iptable rules which are set. And after running iptables -F on these machines, iptables -S will still show more than 3 chains, even that there are no iptables rules set in these chains.

So the question is - is there a way to know whether or not netfilter rules are set on a host, regardless of the number of chains ?

+5 votes

I want to forward all http traffic coming in from a perticular IP at local port 8080, to 2 particular IP Addresses (port 80). Is it enough to prepend the following in my IPtable

-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination xxx.xxx.xxx.xxx:80
-A PREROUTING -s xx.xx.xx.xx/24 -p tcp --dport 8080 -j DNAT --to-destination yyy.yyy.yyy.yyy:80

0 votes

Is it possible to bind multiple address families in netfilter queue? I see IPv4 show up in my queue, but not ARP. With error code removed, here is how I'm calling nfq_bind:

netfilterqueue_handle = nfq_open();
netfilterqueue_queue = nfq_create_queue( netfilterqueue_handle, 0,

nfq_bind_pf( netfilterqueue_handle, AF_INET );
nfq_bind_pf( netfilterqueue_handle, NF_ARP );

I'm thinking the more likely possibility is the iptable rules I'm using to send traffic to the queue are too restrictive. Here are the rules I have:

# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*nat
:PREROUTING ACCEPT [161:14105]
:INPUT ACCEPT [56:4995]
:OUTPUT ACCEPT [56:4496]
:POSTROUTING ACCEPT [56:4496]
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 14 10:40:46 2015
# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*filter
:INPUT ACCEPT [1017:217421]
:FORWARD DROP [53:2307]
:OUTPUT ACCEPT [934:211104]
:MYRA - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j MYRA
-A FORWARD -s 10.0.1.0/24 -o eth0 -m conntrack --ctstate NEW -j MYRA
-A MYRA -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
# Completed on Sat Feb 14 10:40:46 2015

Do I have to add another FORWARD line to get ARP to jump to MYRA? What would it look like?

0 votes

Consider the following example: you have a router between two networks, and you want to cut off the
router from the outside world using some iptables rules. However, all traffic that is forwarded by the router between the two networks basically is to be ignored by iptables (i.e., the router does not play firewall for any of the two networks).

Currently, if conntrack is loaded on the router, then conntrack -L on the router lists all the connections, not only those to and from the router, but also all connections between the two. Certainly, it takes some CPU cycles for the router to keep track of all the connections. Also, the number of connections that conntrack can take of is limited.

So is there a way to let Linux "bypass" conntrack and maybe other netfilter stuff when it comes to forwarded packets?

+1 vote

I know that packet traverses through the Net Filter hooks but how to practically realize that, any suggestions...


Useful Links with Similar Problem
Contact Us
+91 9880187415
sales@queryhome.net
support@queryhome.net
#470/147, 3rd Floor, 5th Main,
HSR Layout Sector 7,
Bangalore - 560102,
Karnataka INDIA.
QUERY HOME
...