I'm putting a new router on our network to help manage our private network connections and to better control routing to the outside. I've decided to simplify this question by removing references to a second private network on our router (but please be aware that there are reasons for this question so the answer is not to leave the old router the default gateway).
I have the following routing in my iptables on our router:
# Allow established connections, and those !not! coming from the public interface
# eth0 = public interface
# eth1 = private interface #1 (129.2.2.0/25)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the private interface
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade (NAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward any other traffic from the public to the private
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
This configuration means that users will be forwarded through a modem/router that has a public address - this is all well and good for most purposes, and in the main it doesn't matter that all computers are hidden behind the one public IP.
However, some users need to be able to access a proxy at 192.111.222.111:8080 - and the proxy needs to identify this traffic as coming through a gateway at 129.2.2.126 (the old router) - it won't respond otherwise.
I tried adding a static route on our router with:
route add -host 192.111.222.111 gw 129.2.2.126 dev eth1
I can successfully ping 192.111.222.111 from the router. When I trace the route, it lists the 129.2.2.126 gateway, but I just get * on each of the following hops (I think this makes sense since this is just a web-proxy and requires authentication).
When I try to ping this address from a host on the 129.2.2.0/25 network it fails.
Should I do this in the iptables chain instead? How would I configure this routing?
Here is the interfaces configuration for the router:
auto eth0
iface eth0 inet static
address 150.1.2.2
netmask 255.255.255.248
gateway 150.2.2.1
auto eth1
iface eth1 inet static
address 129.2.2.125
netmask 255.255.255.128
And here is the routing table (without my static route added):
Destination Gateway Genmask Flags Metric Ref Use Iface
default eth1202.sa.adsl 0.0.0.0 UG 100 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
129.2.2.0 * 255.255.255.128 U 0 0 0 eth1
To restate - I want traffic from 129.2.2.7 (for example) to now route through our router (129.2.2.125). But this router needs to then forward 8080 requests with the destination of 192.111.222.111 - which is somewhere the other side of the old router (129.2.2.126 - which is not manageable by us).
SEE MORE
I have the following routing in my iptables on our router:
# Allow established connections, and those !not! coming from the public interface
# eth0 = public interface
# eth1 = private interface #1 (129.2.2.0/25)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the private interface
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade (NAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward any other traffic from the public to the private
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
This configuration means that users will be forwarded through a modem/router that has a public address - this is all well and good for most purposes, and in the main it doesn't matter that all computers are hidden behind the one public IP.
However, some users need to be able to access a proxy at 192.111.222.111:8080 - and the proxy needs to identify this traffic as coming through a gateway at 129.2.2.126 (the old router) - it won't respond otherwise.
I tried adding a static route on our router with:
route add -host 192.111.222.111 gw 129.2.2.126 dev eth1
I can successfully ping 192.111.222.111 from the router. When I trace the route, it lists the 129.2.2.126 gateway, but I just get * on each of the following hops (I think this makes sense since this is just a web-proxy and requires authentication).
When I try to ping this address from a host on the 129.2.2.0/25 network it fails.
Should I do this in the iptables chain instead? How would I configure this routing?
Here is the interfaces configuration for the router:
auto eth0
iface eth0 inet static
address 150.1.2.2
netmask 255.255.255.248
gateway 150.2.2.1
auto eth1
iface eth1 inet static
address 129.2.2.125
netmask 255.255.255.128
And here is the routing table (without my static route added):
Destination Gateway Genmask Flags Metric Ref Use Iface
default eth1202.sa.adsl 0.0.0.0 UG 100 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
129.2.2.0 * 255.255.255.128 U 0 0 0 eth1
To restate - I want traffic from 129.2.2.7 (for example) to now route through our router (129.2.2.125). But this router needs to then forward 8080 requests with the destination of 192.111.222.111 - which is somewhere the other side of the old router (129.2.2.126 - which is not manageable by us).
SEE MORE
No comments:
Post a Comment