Re: VLAN et iptables

To: debian-user@lists.debian.org
Subject: Re: VLAN et iptables
From: Alexander Samad <alex@samad.com.au>
Date: Sun, 4 Apr 2010 09:05:41 +1000
Message-id: <[🔎] g2v836a6dcf1004031605w91dcbb1em64c49c02daff9813@mail.gmail.com>
In-reply-to: <[🔎] 201004030017.21516.jeetu.golani@gmail.com>
References: <[🔎] 201004030017.21516.jeetu.golani@gmail.com>

On Sat, Apr 3, 2010 at 5:47 AM, Jeetu Golani <jeetu.golani@gmail.com> wrote:
> Hi,
>
> I have a Debian system that I am trying to configure as a router for a MPLS
> VPN setup. I'm having trouble setting up the iptables rules to forward
> internet traffic from remote locations. Admittedly this isn't my forte
> therefore I would sincerely appreciate any help :)
>
> Network Description:
> At the head office, the ISP facing router has two physical NICs (eth0 and
> eth1).
>
> eth0 is connected to the head office  "local"  LAN  192.168.0.0/24.
>
> eth1 has two VLAN interfaces 105 and 689 (vlan105 and vlan689)
> connecting to the Service Provider's (SP)  Network
> Termination Unit (NTU)
>
> vlan105 carries VPN traffic coming in from remote locations e.g two
> LANs subnets over MPLS VPN (a) 192.168.1.0/24 and (b) 172.16.0.0/16
>
> vlan689 carries company <> INTERNET traffic
>
> Internet access for "remote" locations, all Internet traffic comes to
> above router over vlan105 sub interface and have it SNAT'd/Masquerade
> to the Internet over vlan689 interface.
> ---------------------
>
> The following is the iptables script I have tried however it doesn't work:
>
> INTIF1="eth0"     # physical interface for local LAN
> INTIF2="vlan105"  # VLAN iface for VPN traffic to remote location
> EXTIF="vlan689"   # VLAN iface for INTERNET traffic
> EXTIP="x.x.x.x" #public IP for our CE router
>
> /sbin/depmod -a
> /sbin/modprobe ip_tables
> /sbin/modprobe ip_conntrack
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_conntrack_irc
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_nat_ftp
>  echo "1" > /proc/sys/net/ipv4/ip_forward
> #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> iptables -P INPUT ACCEPT
> iptables -F INPUT
> iptables -P OUTPUT ACCEPT
> iptables -F OUTPUT
>  iptables -P FORWARD DROP
> iptables -F FORWARD
>
> iptables -t nat -F
>
> # for Matunga subnet 192.168.0.0/24
>  iptables -A FORWARD -i $EXTIF -o $INTIF1 -d 192.168.0.0/24 -m state --
> state ESTABLISHED,RELATED -j ACCEPT
>  iptables -A FORWARD -i $INTIF1 -o $EXTIF -s 192.168.0.0/24 -m -j
> ACCEPT

First look through - you don;t allow new connections, only established
and related !

usually - what I do is have the established,related line - not limited
by interface or address at the top - sort of a short circuit catch
all.  Then do the limiting with the NEW connections statements.



>
>  # for Silvassa subnet 172.16.0.0/16
> iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 172.16.0.0/16 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>  iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 172.16.0.0/16 -m -j ACCEPT
>
>  # for Colaba subnet 192.168.1.0/24
> iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 192.168.1.0/24 -m state --
> state ESTABLISHED,RELATED -j ACCEPT
>  iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 192.168.1.0/24 -m -j
> ACCEPT
>
> iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> --------------------------------------------
>
> Would sincerely appreciate any help. Thanks
>
> Bye for now
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: [🔎] 201004030017.21516.jeetu.golani@gmail.com">http://lists.debian.org/[🔎] 201004030017.21516.jeetu.golani@gmail.com
>
>

Reply to:

References:
- VLAN et iptables
  - From: Jeetu Golani <jeetu.golani@gmail.com>

Prev by Date: Re: Q abt ssh, sshfs, and Stale NFS file handle
Next by Date: Re: ALSA problem?
Previous by thread: VLAN et iptables
Next by thread: [OT] postfix clarification
Index(es):
- Date
- Thread