View previous topic :: View next topic |
Author |
Message |
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Tue Aug 18, 2015 9:59 pm Post subject: I've Never Done IPTABLES Before, but I Think This is Simple |
|
|
I think. I have a test apparatus that I need to connect via Ethernet to my Linux workstation via a private subnet. Additionally, my workstation needs to remain connected to the larger network and, since my apparatus may misbehave, sending garbage out onto the LAN, I should not connect it to the same physical network, hence I have two Ethernet interfaces:
- eth0 connected to the greater LAN, obtaining an IP address via DHCP as per usual.
- eth1 connected to the apparatus, having a static IP of (let's say) 192.168.1.100 and subnet mask of 255.255.255.0.
I want to set up IPTABLES on my workstation so that when I try to communicate from the workstation to the apparatus (which also has a static IP on the 192.168.1.0/24 subnet), IP packets will be routed through eth1 but communicating with IP addresses outside that subnet (such as when I'm communicating with you fine folks) will be routed to eth0. I think this is simple, right? A couple of other points:
- I don't need forwarding: the apparatus should not be able to get packets onto the other wire.
- I'd like to make the settings persistent so that the routing rules are present when next I restart my workstation.
How does one go about doing that? Thanks in advance for the education.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
CaptainBlood Advocate
Joined: 24 Jan 2010 Posts: 3610
|
Posted: Tue Aug 18, 2015 10:25 pm Post subject: |
|
|
Doesn't it work just out of the box, once static IP NIC eth1 is up?
Thks 4 ur attention. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21619
|
Posted: Tue Aug 18, 2015 11:32 pm Post subject: |
|
|
You should not need iptables for this. Use iptables to filter or apply complicated route marking, such as if you wanted to allow the apparatus to talk on specific protocols, but deny it otherwise or if you wanted to route apparatus HTTP over one interface and IMAP over a different interface. Since you want it fully isolated, it is sufficient to configure your interfaces with appropriate netmasks and verify that sysctl net.ipv4.ip_forward=0. You can use /etc/sysctl.conf to set ip_forward to 0 on startup. If I recall correctly, it defaults to 0 and must be enabled on systems where you want forwarding.
The routing tables should be correct automatically. You would need special handling if the device was a gateway to other subnets, but since it is a dead end, you should be fine with the basics. If you want a review of the setup, please post the output of ip addr; ip route (or ifconfig -a; route -n if you do not have sys-apps/iproute2 installed), iptables-save, and cat /proc/sys/net/ipv4/ip_forward. |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Wed Aug 19, 2015 2:52 am Post subject: |
|
|
CaptainBlood wrote: | Doesn't it work just out of the box, once static IP NIC eth1 is up? | It didn't just work out of the box the last time I made this type of setup. Connections on eth0 had long delays because some mechanism was trying eth1 first. All I had to do to eliminate the delays was to disconnect the eth1 cable. In other words, it ultimately worked but the wait was excruciating. My perhaps erroneous conclusion was that I lacked some sort of routing directive.
Hu, thanks. This is a new setup. I'll get the second NIC installed tomorrow AM and post the information you've asked for.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Wed Aug 19, 2015 9:29 am Post subject: |
|
|
JRG i'm unsure i get it right, but your setup is just that simple
set eth0 to dhcp but in a range
set eth1 to static but in a range OUTSIDE the eth0 one, set apparatus to the same range as eth1.
Generally it is just the setup people get with a wired+wifi combo, and their problem is that they need to use a bridge to let both interface reach the two network.
In your case i think you are trying to not bridge them (which is default).
so appartus looks like config_eth?="192.168.1.something netmask..."
desktop: config_eth0 dhcp but not in the 192.168.1 range
config_eth1="192.168.1.100 netmask..."
And when you are trying to reach 192.168.1.* from desktop, your route will tell go thru eth1, when you are trying the DHCP range, your route goes thru eth0, and when trying anything not from eth1 and eth0 range, it goes thru default. |
|
Back to top |
|
|
tclover Guru
Joined: 10 Apr 2011 Posts: 516
|
Posted: Wed Aug 19, 2015 10:39 am Post subject: |
|
|
Looks like you're facing the, dare I say, *classical* ex/internal interface case which is *indeed* easy if you get some basic understanding about how IPTable works. You might look at this simple script to set things quickly and then changes a few things along the way, or later, to fit it your specific needs. The explanations and comments could be found in the very oldest unofficial gentoo wiki (statefull IPTable rules or something like that) -- not the old one with the '.com' thing, the old of the old if you get what I mean. -- I don't feel like looking for you for it's your job or duty to retrieve some old docs to RTFM [irony].
NOTE/EDIT: The setup of the interfaces can be done in the old fashioned way with OpenRC, or whatsowever, or use DHCPCD network management mode by using its powerfull configuration file to set up static and dynamic IP address accordingly to the interfaces. See DHCPCD articles (in the official wiki) and especially the network manager one to get the relevent info about this. _________________ home/:mkinitramfs-ll/:supervision/:e-gtk-theme/:overlay/ |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Wed Aug 19, 2015 3:50 pm Post subject: |
|
|
This seems like basic Routing 101, unless I've missed something on first reading.
I'll echo what others have said, I don't think that iptables is necessary. It should be as simple as bringing up eth0 as usual, making sure it's your default route. Bring up eth1 with your static IP, and make sure that only that subnet is routed to it. Leave forwarding off. (net.ipv4.ip_forward = 0 in /etc/sysctl.conf, or equivalent in /proc/sys)
Can you post the result of "netstat -Nr" here? _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54232 Location: 56N 3W
|
Posted: Wed Aug 19, 2015 5:53 pm Post subject: |
|
|
John R. Graham,
Its just basic routing. Turn off forwarding if its on.
Set up your routing table using a method of your own choosing.
Be sure you do not have a default route to your new toy.
You may usefully have a maximum of one default route and it needs to point at the next hop towards the internet.
Long delays makes it sound like eth0 and eth1 are in the same subnet. This is a very bad thing, so don't do it. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Wed Aug 19, 2015 6:40 pm Post subject: |
|
|
Folks, I apologize for the noise. A couple of months ago I had such a configration as described above and was getting the reported symptoms. I must've made some mistake because now in creating this setup anew, it Just Works™. As predicted, no manual mucking with the routing tables appears to be needed.
Neddy, although I don't know exactly what I did wrong, the two interfaces were not on the same subnet.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54232 Location: 56N 3W
|
Posted: Wed Aug 19, 2015 6:47 pm Post subject: |
|
|
John R. Graham,
If it was two interfaces in the same subnet, I knew you would not let it persist for very long. :) _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10589 Location: Somewhere over Atlanta, Georgia
|
Posted: Wed Aug 19, 2015 8:02 pm Post subject: |
|
|
Yeah, it tends to get your attention.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
|