iptables: forwarding traffic among all LAN networks - Networking

This is a discussion on iptables: forwarding traffic among all LAN networks - Networking ; Hello, I have three LAN network, 192.168.0.0, 192.168.5.0 and 192.168.1.0, connected to three interfaces on my router machine running Debian Linux. I just discovered in my other post how to make my LAN talk to my dsl modem (thanks to ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: iptables: forwarding traffic among all LAN networks

  1. iptables: forwarding traffic among all LAN networks


    Hello,

    I have three LAN network, 192.168.0.0, 192.168.5.0 and 192.168.1.0,
    connected to three interfaces on my router machine running Debian Linux.
    I just discovered in my other post how to make my LAN talk to my dsl
    modem (thanks to Stephan).

    Related to this, I would like to forward all my local traffic among all
    my local networks. My external interface is ppp0. My local network
    interfaces are eth0, eth1 and ath0.

    Previously, I was using these two forwarding rules:
    $IPTABLES -A FORWARD -i eth0 -o ath0 -j ACCEPT
    $IPTABLES -A FORWARD -i ath0 -o eth0 -j ACCEPT
    $IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT

    The first two rules to allow 192.168.0.0 and 192.168.5.0 networks to
    talk to each other. The last rule is to allow 192.168.0.0 and
    192.168.1.0 networks to talk to each other. So, I probably I have to
    write a pair of rules for each combination of the three networks. Is
    that right?

    I was also thinking that I may use the negation of match in iptables to
    allow all forwarding among non-ppp0 interfaces with a rule like this:
    $IPTABLES -A FORWARD -i !$EXTIF -o !$EXTIF -j ACCEPT

    Will the above work? It appears not to, looks like I am not doing
    something right.

    Comments, suggestions and all help are welcome.

    thanks,
    ->HS



  2. Re: iptables: forwarding traffic among all LAN networks

    "H.S." wrote in message
    news:d2f6e$473d1a35$4c0a8347$32660@TEKSAVVY.COM-Free...
    > Hello,
    > I have three LAN network, 192.168.0.0, 192.168.5.0 and 192.168.1.0,
    > connected to three interfaces on my router machine running Debian Linux.
    > I just discovered in my other post how to make my LAN talk to my dsl
    > modem (thanks to Stephan).
    >
    > Related to this, I would like to forward all my local traffic among all
    > my local networks. My external interface is ppp0. My local network
    > interfaces are eth0, eth1 and ath0.
    >
    > Previously, I was using these two forwarding rules:
    > $IPTABLES -A FORWARD -i eth0 -o ath0 -j ACCEPT
    > $IPTABLES -A FORWARD -i ath0 -o eth0 -j ACCEPT
    > $IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
    >
    > The first two rules to allow 192.168.0.0 and 192.168.5.0 networks to
    > talk to each other. The last rule is to allow 192.168.0.0 and
    > 192.168.1.0 networks to talk to each other....


    No. The last rule allows eth0's net to talk to eth1's but there's no provision
    for a reply. You're missing a rule.
    BTW, that's 3 rules, not 2, and should be 4.

    > ... So, I probably I have to
    > write a pair of rules for each combination of the three networks. Is
    > that right?


    Yes.

    > I was also thinking that I may use the negation of match in iptables to
    > allow all forwarding among non-ppp0 interfaces with a rule like this:
    > $IPTABLES -A FORWARD -i !$EXTIF -o !$EXTIF -j ACCEPT
    >
    > Will the above work? It appears not to, looks like I am not doing
    > something right.
    >
    > Comments, suggestions and all help are welcome.
    >
    > thanks,
    > ->HS
    >
    >



  3. Re: iptables: forwarding traffic among all LAN networks

    Hello,

    H.S. a écrit :
    >
    > I have three LAN network, 192.168.0.0, 192.168.5.0 and 192.168.1.0,
    > connected to three interfaces on my router machine running Debian Linux.
    >
    > Related to this, I would like to forward all my local traffic among all
    > my local networks. My external interface is ppp0. My local network
    > interfaces are eth0, eth1 and ath0.
    >
    > Previously, I was using these two forwarding rules:
    > $IPTABLES -A FORWARD -i eth0 -o ath0 -j ACCEPT
    > $IPTABLES -A FORWARD -i ath0 -o eth0 -j ACCEPT
    > $IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT


    That's three rules, not two. ;-)

    > The first two rules to allow 192.168.0.0 and 192.168.5.0 networks to
    > talk to each other.


    Yes.

    > The last rule is to allow 192.168.0.0 and
    > 192.168.1.0 networks to talk to each other.


    Actually it allows only forwarded traffic from eth0 to eth1, but not the
    other way.

    > So, I probably I have to
    > write a pair of rules for each combination of the three networks. Is
    > that right?


    Yes. In some special cases you may also need to accept traffic forwarded
    from an interface to itself. But do you trust your modem and ISP enough
    to allow *any* traffic from the modem subnet ? I personnally would not
    trust them more than the rest of the internet, so I would apply the same
    rules as for the traffic on the PPP interface.

    > I was also thinking that I may use the negation of match in iptables to
    > allow all forwarding among non-ppp0 interfaces with a rule like this:
    > $IPTABLES -A FORWARD -i !$EXTIF -o !$EXTIF -j ACCEPT
    >
    > Will the above work? It appears not to, looks like I am not doing
    > something right.


    Try to insert a space between the ! and the interface name.
    Also, you could use a wildcard : e.g. ppp+ will match any interface name
    starting with "ppp". However I don't like such negations in ACCEPT
    rules, because if any other interface comes up for any reason (tunnel,
    VPN...), all traffic will be accepted inconditionnally. Six rules are
    not a big hassle.

  4. Re: iptables: forwarding traffic among all LAN networks

    Pascal Hambourg wrote:

    >
    > That's three rules, not two. ;-)


    Yes. Was trying various rules while writing this message.


    >
    >> The first two rules to allow 192.168.0.0 and 192.168.5.0 networks to
    >> talk to each other.

    >
    > Yes.
    >
    >> The last rule is to allow 192.168.0.0 and
    >> 192.168.1.0 networks to talk to each other.

    >
    > Actually it allows only forwarded traffic from eth0 to eth1, but not the
    > other way.


    Ah, yes. Thanks.

    >
    >> So, I probably I have to
    >> write a pair of rules for each combination of the three networks. Is
    >> that right?

    >
    > Yes. In some special cases you may also need to accept traffic forwarded
    > from an interface to itself. But do you trust your modem and ISP enough
    > to allow *any* traffic from the modem subnet ? I personnally would not
    > trust them more than the rest of the internet, so I would apply the same
    > rules as for the traffic on the PPP interface.


    Good point! I will do that.


    >
    >> I was also thinking that I may use the negation of match in iptables to
    >> allow all forwarding among non-ppp0 interfaces with a rule like this:
    >> $IPTABLES -A FORWARD -i !$EXTIF -o !$EXTIF -j ACCEPT
    >>
    >> Will the above work? It appears not to, looks like I am not doing
    >> something right.

    >
    > Try to insert a space between the ! and the interface name.


    Okay.

    > Also, you could use a wildcard : e.g. ppp+ will match any interface name
    > starting with "ppp". However I don't like such negations in ACCEPT
    > rules, because if any other interface comes up for any reason (tunnel,
    > VPN...), all traffic will be accepted inconditionnally. Six rules are
    > not a big hassle.


    True. If I image the networks as nodes in a graph, the for n networks I
    would need n(n-1) rules in all?

    thanks,
    ->HS



  5. Re: iptables: forwarding traffic among all LAN networks

    H.S. a écrit :
    >
    > If I image the networks as nodes in a graph, the for n networks I
    > would need n(n-1) rules in all?


    Not necessarily. It may be possible to factorize chains into policies.
    For instance assume you define two types of networks : trusted (e.g.
    internet) and untrusted (e.g. your LAN). Then you define four forwarding
    policies based upon the types of the source and destination networks.

    So you would have the following chains containing the fixed ruleset
    enforcing each policy :

    trusted_to_trusted
    trusted_to_untrusted
    untrusted_to_trusted
    untrusted_to_untrusted

    You also need two additional chains :

    from_trusted
    from_untrusted

    Now for each interface $IFT connected to a trusted network, you would
    add the following rules :

    iptables -A FORWARD -i $IFT -j from_trusted
    iptables -A from_trusted -o $IFT -j trusted_to_trusted
    iptables -A from_untrusted -o $IFT -j untrusted_to_trusted

    And for each interface $IFU connected to an untrusted network, you would
    add the following rules :

    iptables -A FORWARD -i $IFU -j from_untrusted
    iptables -A from_trusted -o $IFU -j trusted_to_untrusted
    iptables -A from_untrusted -o $IFU -j untrusted_to_untrusted

    For instance, a packet coming from an untrusted network and destined to
    a trusted network would be directed to the from_untrusted then to the
    untrusted_to_trusted chain which determines its fate.

    In this approach the rule count for n networks and t network types is
    roughly n*(t+1), which scales better when n increases. Another advantage
    is that when you create or delete a network interface you don't need to
    care about the other existing interfaces, which is very valuable in
    setups with multiple "dynamic" interfaces and networks such as PPP
    links, VPNs, tunnels...

  6. Re: iptables: forwarding traffic among all LAN networks

    Pascal Hambourg wrote:
    > H.S. a écrit :
    >>
    >> If I image the networks as nodes in a graph, the for n networks I
    >> would need n(n-1) rules in all?

    >
    > Not necessarily. It may be possible to factorize chains into policies.
    > For instance assume you define two types of networks : trusted (e.g.
    > internet) and untrusted (e.g. your LAN). Then you define four forwarding
    > policies based upon the types of the source and destination networks.
    >
    > So you would have the following chains containing the fixed ruleset
    > enforcing each policy :
    >
    > trusted_to_trusted
    > trusted_to_untrusted
    > untrusted_to_trusted
    > untrusted_to_untrusted
    >
    > You also need two additional chains :
    >
    > from_trusted
    > from_untrusted
    >
    > Now for each interface $IFT connected to a trusted network, you would
    > add the following rules :
    >
    > iptables -A FORWARD -i $IFT -j from_trusted
    > iptables -A from_trusted -o $IFT -j trusted_to_trusted
    > iptables -A from_untrusted -o $IFT -j untrusted_to_trusted
    >
    > And for each interface $IFU connected to an untrusted network, you would
    > add the following rules :
    >
    > iptables -A FORWARD -i $IFU -j from_untrusted
    > iptables -A from_trusted -o $IFU -j trusted_to_untrusted
    > iptables -A from_untrusted -o $IFU -j untrusted_to_untrusted
    >
    > For instance, a packet coming from an untrusted network and destined to
    > a trusted network would be directed to the from_untrusted then to the
    > untrusted_to_trusted chain which determines its fate.
    >
    > In this approach the rule count for n networks and t network types is
    > roughly n*(t+1), which scales better when n increases. Another advantage
    > is that when you create or delete a network interface you don't need to
    > care about the other existing interfaces, which is very valuable in
    > setups with multiple "dynamic" interfaces and networks such as PPP
    > links, VPNs, tunnels...



    Wonderful comments! Thanks for the insights. I think as soon as I get
    some free time on my hands, I am going to rewrite my iptables script
    using this approach.
    ->HS

+ Reply to Thread