iptables advanced routing
Posted
by
Shamanu4
on Server Fault
See other posts from Server Fault
or by Shamanu4
Published on 2012-03-29T09:21:37Z
Indexed on
2012/03/29
17:33 UTC
Read the original article
Hit count: 322
ip-routing
|iproute2
I have a Centos server acting as a NAT in my network. This server has one external (later ext1) interface and three internal (later int1, int2 and int3). Egress traffic comes from users via int1 and after MASQUERADE goes via ext1. Ingress traffic comes from ext1, MASQUERADE, and goes via int2 or int3 according to static routes.
| ext1
| x.x.x.x/24
+---------|----------------------+
| |
| Centos server (NAT) |
| |
+---|------|---------------|-----+
| | |
int1 | | int2 | int3
10.30.1.10/24 | | 10.30.2.10/24 | 10.30.3.10/24
^ v v
10.30.1.1/24 | | 10.30.2.1/24 | 10.30.3.1/24
+---|------|---------------|-----+
| | | | |
| | v v |
| ^ -Traffic policer- |
| |_____________ | |
| | |
+------------------|-------------+
| 192.168.0.1/16
|
|
Clients
192.168.0.0/16
The problem: Egress traffic seems to be dropped after PREROUTING table. Packet counters are not changing on MASQUERADE rule in POSTROUTING. If I change the routes to clients causing the traffic go back via int1 - everything works perfectly.
current iptable configuration is very simple:
# cat /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-I INPUT 1 -i int1 -j ACCEPT
-A FORWARD -j ACCEPT
COMMIT
*nat
-A POSTROUTING -o ext1 -j MASQUERADE
#
COMMIT
Can anyone point me what I'm missing? Thanks.
UPDATE:
192.168.100.60 via 10.30.2.1 dev int2 proto zebra # routes to clients ...
192.168.100.61 via 10.30.3.1 dev int3 proto zebra # ... I have a lot of them
x.x.x.0/24 dev ext1 proto kernel scope link src x.x.x.x
10.30.1.0/24 dev int1 proto kernel scope link src 10.30.1.10
10.30.2.0/24 dev int2 proto kernel scope link src 10.30.2.10
10.30.3.0/24 dev int3 proto kernel scope link src 10.30.3.10
169.254.0.0/16 dev ext1 scope link metric 1003
169.254.0.0/16 dev int1 scope link metric 1004
169.254.0.0/16 dev int2 scope link metric 1005
169.254.0.0/16 dev int3 scope link metric 1006
blackhole 192.168.0.0/16
default via x.x.x.y dev ext1
Clients have 192.168.0.1 as gateway, which is redirecting them to 10.30.1.1
© Server Fault or respective owner