Networking Forums

Networking Forums > Computer Networking > Linux Networking > IPSec, IPTables, multiple subnets

Reply
Thread Tools Display Modes

IPSec, IPTables, multiple subnets

 
 
SilkBC
Guest
Posts: n/a

 
      03-27-2007, 01:17 AM
Hello,

How do you tell IPTables to not masquerade several specific subnets,
or alternatively, masquerade *only* one specific subnet but not
everything else?

We have several remote sites with the following subnets:

site1 (main office): 10.175.0.0/24
site2 (remote): 10.175.1.0/24
site3 (remote): 10.175.2.0/24
site4 (remote): 10.175.3.0/24

We are wanting to run full two-way site-to-site VPNs between the
remote sites and the main office. We are able to get one tunnel
working properly, but the others, while the tunnels are indeed up, we
cannot ping across to them from the main office. The VPN is IPSec.

Here is the current masquerading rule (on the main office firewall/
gateway), which is allowing the one IPSec tunnel to work no problem:

iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.1.0/24 -j
MASQUERADE

which is saying to masquerade all traffic going through eth0 *except*
for traffic destined for the 10.175.1.0/24 network.

IPSec does not create it's own interface unfortunately, but rather
"shares" eth0.

I have tried this rule:

iptables -t nat -A POSTROUTING -o eth0 -s 10.175.0.0/24 -j
MASQUERADE

which I thought would masquerade *only* traffic from the 10.175.0.0/24
subnet through eth0, but that didn;t work (and looking at it closer, I
am able to see why)

Any help appreciated.

TIA. I look forward to hearing fromyou.

-Alan

 
Reply With Quote
 
 
 
 
Clifford Kite
Guest
Posts: n/a

 
      03-27-2007, 08:46 PM
SilkBC <(E-Mail Removed)> wrote:
> Hello,


> How do you tell IPTables to not masquerade several specific subnets,
> or alternatively, masquerade *only* one specific subnet but not
> everything else?


> We have several remote sites with the following subnets:


> site1 (main office): 10.175.0.0/24
> site2 (remote): 10.175.1.0/24
> site3 (remote): 10.175.2.0/24
> site4 (remote): 10.175.3.0/24


> We are wanting to run full two-way site-to-site VPNs between the
> remote sites and the main office. We are able to get one tunnel
> working properly, but the others, while the tunnels are indeed up, we
> cannot ping across to them from the main office. The VPN is IPSec.


> Here is the current masquerading rule (on the main office firewall/
> gateway), which is allowing the one IPSec tunnel to work no problem:


> iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.1.0/24 -j
> MASQUERADE


> which is saying to masquerade all traffic going through eth0 *except*
> for traffic destined for the 10.175.1.0/24 network.


> IPSec does not create it's own interface unfortunately, but rather
> "shares" eth0.


> I have tried this rule:


> iptables -t nat -A POSTROUTING -o eth0 -s 10.175.0.0/24 -j
> MASQUERADE


Given that I'm no IPSec or iptables expert, you might try this:

iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.0.0/16 -j MASQUERADE

It would seem to masquerade all traffic output through eth0 except
that to the VPNs, assuming no traffic to 10.175.0.0/24 goes out eth0.
But since my view of eth0/IPSec VPN/"shares" is cloudy at best that
assumption could easily be wrong.

> which I thought would masquerade *only* traffic from the 10.175.0.0/24
> subnet through eth0, but that didn;t work (and looking at it closer, I
> am able to see why)


> Any help appreciated.


> TIA. I look forward to hearing fromyou.


> -Alan



--
Clifford Kite
/* I hear and I forget. I see and I remember. I do and I understand.
--Confucius, 551-479 BC */
 
Reply With Quote
 
 
 
 
SilkBC
Guest
Posts: n/a

 
      03-29-2007, 02:08 PM
On Mar 27, 1:46 pm, Clifford Kite <(E-Mail Removed)> wrote:
> Given that I'm no IPSec or iptables expert, you might try this:
>
> iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.0.0/16 -j MASQUERADE


I had considered the above, but thought it would have prevented the
LAN traffic at the main site (10.175.0.0/24) from being masquerated/
nat'd out to the Internet. I gave it a try anyway, and it doesn't
seem to affect that traffic.

Having done that, I have made some progress: from the 10.175.0.0/24
(main site) network, I am able to ping the private gateway IPs of the
routers at the different sites (10.175.x.254) whereas I was not able
to do so previously. I am unable to ping any of the PCs behind the
gateways, however (though I can do so if I SSH to the gateway itself
and start pinging the IPs of the PCs).

I was thinking this may be a routing issue until I was actually able
to ping just one of the PCs in the 10.175.3.0/24 subnet, though I
cannot ping any of the others behind it.

The firewall is not an issue, as it is running the exact same one as
the site with the 10.175.1.0/24 subnet (which is working 100% as it
should). The routing tables are also exactly the same, except for the
local subnet and of course the ISP gateway they have to go through.

Open to any other suggestions... :-)

-Alan M.

 
Reply With Quote
 
Clifford Kite
Guest
Posts: n/a

 
      03-29-2007, 06:38 PM
SilkBC <(E-Mail Removed)> wrote:
> On Mar 27, 1:46 pm, Clifford Kite <(E-Mail Removed)> wrote:
>> Given that I'm no IPSec or iptables expert, you might try this:
>>
>> iptables -t nat -A POSTROUTING -o eth0 -d ! 10.175.0.0/16 -j MASQUERADE


> I had considered the above, but thought it would have prevented the
> LAN traffic at the main site (10.175.0.0/24) from being masquerated/
> nat'd out to the Internet. I gave it a try anyway, and it doesn't
> seem to affect that traffic.


> Having done that, I have made some progress: from the 10.175.0.0/24
> (main site) network, I am able to ping the private gateway IPs of the
> routers at the different sites (10.175.x.254) whereas I was not able
> to do so previously. I am unable to ping any of the PCs behind the
> gateways, however (though I can do so if I SSH to the gateway itself
> and start pinging the IPs of the PCs).


> I was thinking this may be a routing issue until I was actually able
> to ping just one of the PCs in the 10.175.3.0/24 subnet, though I
> cannot ping any of the others behind it.


> The firewall is not an issue, as it is running the exact same one as
> the site with the 10.175.1.0/24 subnet (which is working 100% as it
> should). The routing tables are also exactly the same, except for the
> local subnet and of course the ISP gateway they have to go through.


> Open to any other suggestions... :-)


It smacks of the lack of IP forwarding on the VPN gateways, except
for the one for 10.175.1.0/24 of course. You also might enquire as to
whether there is anything special about the PC that responds to pinging.
That seems to contradict my suggestion: if IP forwarding is missing
on the gateway then no PC should respond and if it isn't then all PCs
should respond.

Anyway, since 10.175.1.0/24 is still 100% with the new rule it seems
like the other subnets should also work with it.

corncob:~# cat /proc/sys/net/ipv4/ip_forward
1

> -Alan M.



--
Clifford Kite
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RRAS server separating two subnets - one subnet cannot reach the Internet and computers can't ping each other between subnets Spin Windows Networking 11 09-23-2008 11:06 PM
Cannot Browse from domain populated subnets to remote subnets whichcontain only workgroup servers pag@associateddynamics.com Windows Networking 4 02-14-2008 09:02 PM
Multiple subnets over Cisco Wireless Bridge - BR350's Josh Gasber Wireless Internet 2 03-05-2004 03:15 AM
HOWTO for Firewall, NAT with multiple subnets? ERACC Linux Networking 0 10-04-2003 07:52 PM
routing to multiple subnets in one entry /dev/rob0 Linux Networking 0 07-12-2003 11:04 PM