I've Never Done IPTABLES Before, but I Think This is Simple

[John R. Graham]

I think. I have a test apparatus that I need to connect via Ethernet to my Linux workstation via a private subnet. Additionally, my workstation needs to remain connected to the larger network and, since my apparatus may misbehave, sending garbage out onto the LAN, I should not connect it to the same physical network, hence I have two Ethernet interfaces:

• eth0 connected to the greater LAN, obtaining an IP address via DHCP as per usual.
  
• eth1 connected to the apparatus, having a static IP of (let's say) 192.168.1.100 and subnet mask of 255.255.255.0.

I want to set up IPTABLES on my workstation so that when I try to communicate from the workstation to the apparatus (which also has a static IP on the 192.168.1.0/24 subnet), IP packets will be routed through eth1 but communicating with IP addresses outside that subnet (such as when I'm communicating with you fine folks) will be routed to eth0. I think this is simple, right? A couple of other points:

• I don't need forwarding: the apparatus should not be able to get packets onto the other wire.
  
• I'd like to make the settings persistent so that the routing rules are present when next I restart my workstation.

How does one go about doing that? Thanks in advance for the education.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.

[CaptainBlood]

Doesn't it work just out of the box, once static IP NIC eth1 is up?

Thks 4 ur attention.

[Hu]

You should not need iptables for this. Use iptables to filter or apply complicated route marking, such as if you wanted to allow the apparatus to talk on specific protocols, but deny it otherwise or if you wanted to route apparatus HTTP over one interface and IMAP over a different interface. Since you want it fully isolated, it is sufficient to configure your interfaces with appropriate netmasks and verify that sysctl net.ipv4.ip_forward=0. You can use /etc/sysctl.conf to set ip_forward to 0 on startup. If I recall correctly, it defaults to 0 and must be enabled on systems where you want forwarding.

The routing tables should be correct automatically. You would need special handling if the device was a gateway to other subnets, but since it is a dead end, you should be fine with the basics. If you want a review of the setup, please post the output of ip addr; ip route (or ifconfig -a; route -n if you do not have sys-apps/iproute2 installed), iptables-save, and cat /proc/sys/net/ipv4/ip_forward.

[John R. Graham]

[krinn]

JRG i'm unsure i get it right, but your setup is just that simple
set eth0 to dhcp but in a range
set eth1 to static but in a range OUTSIDE the eth0 one, set apparatus to the same range as eth1.

Generally it is just the setup people get with a wired+wifi combo, and their problem is that they need to use a bridge to let both interface reach the two network.
In your case i think you are trying to not bridge them (which is default).

so appartus looks like config_eth?="192.168.1.something netmask..."
desktop: config_eth0 dhcp but not in the 192.168.1 range
config_eth1="192.168.1.100 netmask..."

And when you are trying to reach 192.168.1.* from desktop, your route will tell go thru eth1, when you are trying the DHCP range, your route goes thru eth0, and when trying anything not from eth1 and eth0 range, it goes thru default.

[tclover]

Looks like you're facing the, dare I say, *classical* ex/internal interface case which is *indeed* easy if you get some basic understanding about how IPTable works. You might look at this simple script to set things quickly and then changes a few things along the way, or later, to fit it your specific needs. The explanations and comments could be found in the very oldest unofficial gentoo wiki (statefull IPTable rules or something like that) -- not the old one with the '.com' thing, the old of the old if you get what I mean. -- I don't feel like looking for you for it's your job or duty to retrieve some old docs to RTFM [irony].

NOTE/EDIT: The setup of the interfaces can be done in the old fashioned way with OpenRC, or whatsowever, or use DHCPCD network management mode by using its powerfull configuration file to set up static and dynamic IP address accordingly to the interfaces. See DHCPCD articles (in the official wiki) and especially the network manager one to get the relevent info about this.
_________________
home/:mkinitramfs-ll/:supervision/:e-gtk-theme/:overlay/

[depontius]

This seems like basic Routing 101, unless I've missed something on first reading.

I'll echo what others have said, I don't think that iptables is necessary. It should be as simple as bringing up eth0 as usual, making sure it's your default route. Bring up eth1 with your static IP, and make sure that only that subnet is routed to it. Leave forwarding off. (net.ipv4.ip_forward = 0 in /etc/sysctl.conf, or equivalent in /proc/sys)

Can you post the result of "netstat -Nr" here?
_________________
.sigs waste space and bandwidth

[NeddySeagoon]

John R. Graham,

Its just basic routing. Turn off forwarding if its on.
Set up your routing table using a method of your own choosing.
Be sure you do not have a default route to your new toy.

You may usefully have a maximum of one default route and it needs to point at the next hop towards the internet.

Long delays makes it sound like eth0 and eth1 are in the same subnet. This is a very bad thing, so don't do it.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[John R. Graham]

Folks, I apologize for the noise. A couple of months ago I had such a configration as described above and was getting the reported symptoms. I must've made some mistake because now in creating this setup anew, it Just Works™. As predicted, no manual mucking with the routing tables appears to be needed.

Neddy, although I don't know exactly what I did wrong, the two interfaces were not on the same subnet.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.

[NeddySeagoon]

John R. Graham,

If it was two interfaces in the same subnet, I knew you would not let it persist for very long. :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

[John R. Graham]

Yeah, it tends to get your attention.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.