Using IPtables to route different subnets 1

[eltoro123]

Hello All,

I have tried all things and I am extremely tired and frustrated trying to figure this out. I am using a linux box and a couple of cisco routers to make two different lans talk to each other. My setup is something like this:

Internet
|
|
|
Cisco Router <-------------------------Cisco Router
| |
| |
| |
Linux Box with 2 interfaces |
(eth0 static ip from isp) |
(eth1 192.168.0.1) |
| Local Lan
| (192.168.2.x)
|
Local Lan (192.168.0.x)

My problem is that I can ping from any machine that is behind the linux box i.e 192.168.0.x to 192.168.2.x. But from the other Lan i.e 192.168.2.x, I can ping only the Linux box i.e 192.168.0.1 and not any other machine with 192.168.0.x ip address. I am using Red Hat 7.2 and iptables to do the firewalling, which I have configured using Firestarter. Can someone please help me out with this situation ???

 

[Norwich]

Sounds like the machines on the 192.168.0.0 subnet can not route back to the machines doing the pinging. As you can ping directly from 192.168.0.0 though, it sounds like an issue with the Linux box.

You can confirm this by running traceroute (linux) or tracert (win) on a 192.168.2.0 machine to a 192.168.0.0 machine to see where comms stops (provided tracrouting is not blocked by the firewall).

Do you have any masquarading/NAT rules set up on the linux box?

 

[eltoro123]

Hi,

When I try to traceroute from 192.168.2.x to 192.168.0.1 it is sucessful and the output is
1st Hop 192.168.2.1 (Cisco Router at office B)
2nd Hop 192.168.1.2 (Cisco Router at Office A)
3rd Hop 192.168.0.1 (Linux Box at Office A)

If I try to traceroute to 192.168.0.9(Windows box at Office A), the output for the first 2 hops is the same and then it starts timing out. Which means the packets are not able to reach the network.

I have setup masquerading for the machines in Office A, which acts as a transparent proxy.

 

[Norwich]

Just to make sure - you don't mean Office A is 192.168.0.0 and that the linux box is masquarading it?

 

[eltoro123]

Hi,

Yes Office A is 192.168.0.0 and the Linux box is masquerading it. Office B is having 192.168.2.0 and they can reach 192.168.0.1(Linux Box) but cannot access any other machine with ip 192.168.0.x

Thanks and Regards,

Vijay.

 

[Norwich]

Of course they cannot - they're being masquaraded behind 192.168.0.1. That's what masquarading does - hide IP addresses from direct outside access behind the IP address of one interface.

 

[Norwich]

Out of interest, with the two cisco routers, linux box and Internet connection, what are you trying to achive? Are the two subnets totally different - is one a DMZ etc?

 

[fluid11]

First off, can users on the 192.168.0.x subnet ping anybody on the 192.168.2.x subnet? If not, have you tried adding a route on the Linux box?

route add -net 192.168.2.0 netmask 255.255.255.0 gw x.x.x.x

The x.x.x.x should be the IP of the first Cisco router, if that router has a route to the 2.x subnet.

ChrisP

 

[Norwich]

Hi fluid - yes, he has said he can ping from 192.168.0.0 to 192.168.2.0, it's the other way he cannot which makes me think it's the fact he's masquarading the 192.168.0.0 subnet.

 

[fluid11]

...oops, read it backwards.

 

[eltoro123]

Hi Norwich,

What I want to achieve with the given setup is that users in both my offices should be able to surf the net through the Linux box and also all the windows machines should be able to see each other in Network Neighbourhood. Both my offices are in different cities and they are connected through a WAN Link. The windows machines in Office A are able to surf the net and also can access the machines of Office B through Network Neighbourhood. But the machines in Office B can access the internet only through SQUID which is running on my Linux box in Office A and they cannot access any other machine in Office A.

Many Thanks.

 

[Norwich]

OK - I am assuming the CISCO kit are connecting the two LANs as a WAN.

If you want both networks to use the one Internet connection - behind the one masquarading IP address - I would recommend that the device in direct connection to the Internet is the masquarading firewall (NAT or PNAT).

Simplistically, the WAN connection needs to be behind this Internet firewall so the topology should look like:

Internet
|
|
|
WAN--------officeB
|
|
|
officeA

Now, with the need for the two WAN endpoint bridges/routers you can use one as the Internet connection in a third interface.

Internet
|
|
|
CiscoA--------CiscoB---------officeB
|
|
|
OfficeA

for which you would configure the CiscoA box to act as the firewall.

Now if you're going to bring in a Linux proxy you have two options - either 1, put it between CiscoA and the Internet as the firewall with Squid proxy to handle internet access.

Internet
|
|
Linux
|
|
CiscoA-----CiscoB---officeB
|
|
OfficeA

Option 2, Still use CiscoA as the boundary firewall and put the linux proxy in the office A LAN and configure CiscoA to only allow that proxy's IP address to access the Internet, therefore all clients have to access the porxy to access the Internet.

Internet
|
|
CiscoA----CiscoB---OfficeB
|
|
officeA with Linux


Option3 is as you have it (topology anyway)
Option4 is as option3 but with another linux box between CiscoB and OfficeB LAN.

Now which one.... I would say option1 is the most obvious. The advantage is simplicity - the cisco's just route everything and the proxy firewalls the internet. The disadvantage is that you'll have to make sure the linux box is screwed down tight.

With option2 (and all other options in fact) you'll need to make sure that the Ciscos have the firewalling kit installed at the boundary. For option2 specifically, having a proxy installed like that would only work if you were giving folks web access only - with the boundary CiscoA doing all the real work. Bit pointless really.

Option4 is reasonably good but a bit wasteful on resourses - as you are effectively working with 3 boundary devices. However, it would be secure because of the levels of functional redundancy and would allow the office PCs to name the proxy server in the browser configs. Option3 is really worst of all worlds.

So I would say option1 - Have the linux box use the ISP IP address on the outside interface - create a small subnet between that and ciscoA - though the proxy would have to run in a transparent mode if you don't want the subnet between the linux box and CiscoA to be visible to the office lans. Don't know how you have the WAN set up but I will assume you are using a private subnet - 192.168.1.0 say.... So:


Internet
|
|
| aaa.bbb.ccc.ddd (eth0)
Linux masquarading firewall/proxy
| 192.168.100.1 (eth1)
|
|
| 192.168.100.2
|
CiscoA 192.168.1.1----192.168.1.2 CiscoB 192.168.2.1--LANB
|
| 192.168.2.1
|
|
LANA

Set up the ciscos to route the various private subnets appropriately. Set up the routers' default gateways to 'cascade' up to the next box. Set up all local office machines' default gateway to point to their router. Set up the linux box to firewall appropriately amd masquade all behind the aaa.bbb.ccc.ddd interface - don't forget to add static routes so it knows how to get back to the office lans.


Finally, network neighborhood uses broadcasts to identify the machines on the network. Broadcasts only travel on their own subnet so you won't see the office B machines in the office A LAN and vice versa. To get around this - install a WINS server in each office LAN and configure each office machine to use both the LAN A and LAN B WINS servers. Bit of a pain but the only way.

 

[eltoro123]

Hi Norwich,

Thanks for taking the pain to explain the different topologies that can be worked out. Even I feel that option 1 would be the best option, but the problem with that is my internet connection is on a leased line which uses a V.35 baseband modem. The cable which is available in the open market and which I have got along with the modem can interface only between the modem and a cisco router. I cannot directly link the modem to a PC. So I guess that the topology that I am currently using will the one that I am forced to go with. But what really is puzzling me is that the machines in Office B(192.168.2.x) can talk to my Linux box on 192.168.0.1 and they can also access the internet using the squid proxy service running on the same Linux box. But they cannot access any other machine in Office A. If you could please examine my firewall script it would be a great help.

Thanks a lot.

 

[Norwich]

If - as you said earlier - you are masquarading the 192.168.0.0 network then you are not going to be able to see those machines from outside (by outside, I mean any nework not on the 192.168.0.0 subnet..

If you want me to check, post the pertinent parts of the iptables script and also the cisco configs (if you cannot get the cisco configs at least let me know how they are configured - if the 192.168.2.0 subnet can get to the internet, one of the cisco boxes must be masquarading too (probably PNATing is cisco terms).

Of course, one other option is to get another cisco box and use option 1 but with this other cisco router between the inernet and the linux box.