iptables advanced routing

Posted by Shamanu4 on Server Fault See other posts from Server Fault or by Shamanu4
Published on 2012-03-29T09:21:37Z Indexed on 2012/03/29 17:33 UTC
Read the original article Hit count: 322

Filed under:
|

I have a Centos server acting as a NAT in my network. This server has one external (later ext1) interface and three internal (later int1, int2 and int3). Egress traffic comes from users via int1 and after MASQUERADE goes via ext1. Ingress traffic comes from ext1, MASQUERADE, and goes via int2 or int3 according to static routes.

                       | ext1
                       | x.x.x.x/24
             +---------|----------------------+
             |                                |
             |  Centos server  (NAT)          |
             |                                |
             +---|------|---------------|-----+
                 |      |               |
            int1 |      | int2          | int3
   10.30.1.10/24 |      | 10.30.2.10/24 | 10.30.3.10/24
                 ^      v               v
    10.30.1.1/24 |      | 10.30.2.1/24  | 10.30.3.1/24
             +---|------|---------------|-----+
             |   |      |               |     |
             |   |      v               v     |
             |   ^      -Traffic policer-     |
             |   |_____________ |             |
             |                  |             |
             +------------------|-------------+
                                | 192.168.0.1/16
                                |
                                |
                             Clients         
                             192.168.0.0/16

The problem: Egress traffic seems to be dropped after PREROUTING table. Packet counters are not changing on MASQUERADE rule in POSTROUTING. If I change the routes to clients causing the traffic go back via int1 - everything works perfectly.

current iptable configuration is very simple:

# cat /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-I INPUT 1 -i int1 -j ACCEPT

-A FORWARD -j ACCEPT
COMMIT

*nat
-A POSTROUTING -o ext1 -j MASQUERADE
#
COMMIT

Can anyone point me what I'm missing? Thanks.

UPDATE:

192.168.100.60 via 10.30.2.1 dev int2  proto zebra # routes to clients ...
192.168.100.61 via 10.30.3.1 dev int3  proto zebra # ... I have a lot of them
x.x.x.0/24 dev ext1  proto kernel  scope link  src x.x.x.x 
10.30.1.0/24 dev int1  proto kernel  scope link  src 10.30.1.10 
10.30.2.0/24 dev int2  proto kernel  scope link  src 10.30.2.10 
10.30.3.0/24 dev int3  proto kernel  scope link  src 10.30.3.10 
169.254.0.0/16 dev ext1  scope link  metric 1003 
169.254.0.0/16 dev int1  scope link  metric 1004 
169.254.0.0/16 dev int2  scope link  metric 1005 
169.254.0.0/16 dev int3  scope link  metric 1006 
blackhole 192.168.0.0/16 
default via x.x.x.y dev ext1  

Clients have 192.168.0.1 as gateway, which is redirecting them to 10.30.1.1

© Server Fault or respective owner

Related posts about ip-routing

Related posts about iproute2