iptables: forwarding traffic among all LAN networks

Hello,

I have three LAN network, 192.168.0.0, 192.168.5.0 and 192.168.1.0,
connected to three interfaces on my router machine running Debian Linux.
I just discovered in my other post how to make my LAN talk to my dsl
modem (thanks to Stephan).

Related to this, I would like to forward all my local traffic among all
my local networks. My external interface is ppp0. My local network
interfaces are eth0, eth1 and ath0.

Previously, I was using these two forwarding rules:
$IPTABLES -A FORWARD -i eth0 -o ath0 -j ACCEPT
$IPTABLES -A FORWARD -i ath0 -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT

The first two rules to allow 192.168.0.0 and 192.168.5.0 networks to
talk to each other. The last rule is to allow 192.168.0.0 and
192.168.1.0 networks to talk to each other. So, I probably I have to
write a pair of rules for each combination of the three networks. Is
that right?

I was also thinking that I may use the negation of match in iptables to
allow all forwarding among non-ppp0 interfaces with a rule like this:
$IPTABLES -A FORWARD -i !$EXTIF -o !$EXTIF -j ACCEPT

Will the above work? It appears not to, looks like I am not doing
something right.

Comments, suggestions and all help are welcome.

thanks,
->HS

"H.S." <(E-Mail Removed)> wrote in message
news:d2f6e$473d1a35$4c0a8347$(E-Mail Removed)-Free...
> Hello,
> I have three LAN network, 192.168.0.0, 192.168.5.0 and 192.168.1.0,
> connected to three interfaces on my router machine running Debian Linux.
> I just discovered in my other post how to make my LAN talk to my dsl
> modem (thanks to Stephan).
>
> Related to this, I would like to forward all my local traffic among all
> my local networks. My external interface is ppp0. My local network
> interfaces are eth0, eth1 and ath0.
>
> Previously, I was using these two forwarding rules:
> $IPTABLES -A FORWARD -i eth0 -o ath0 -j ACCEPT
> $IPTABLES -A FORWARD -i ath0 -o eth0 -j ACCEPT
> $IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT
>
> The first two rules to allow 192.168.0.0 and 192.168.5.0 networks to
> talk to each other. The last rule is to allow 192.168.0.0 and
> 192.168.1.0 networks to talk to each other....

No. The last rule allows eth0's net to talk to eth1's but there's no provision
for a reply. You're missing a rule.
BTW, that's 3 rules, not 2, and should be 4.

> ... So, I probably I have to
> write a pair of rules for each combination of the three networks. Is
> that right?

Yes.

> I was also thinking that I may use the negation of match in iptables to
> allow all forwarding among non-ppp0 interfaces with a rule like this:
> $IPTABLES -A FORWARD -i !$EXTIF -o !$EXTIF -j ACCEPT
>
> Will the above work? It appears not to, looks like I am not doing
> something right.
>
> Comments, suggestions and all help are welcome.
>
> thanks,
> ->HS
>
>

Hello,

H.S. a écrit :
>
> I have three LAN network, 192.168.0.0, 192.168.5.0 and 192.168.1.0,
> connected to three interfaces on my router machine running Debian Linux.
>
> Related to this, I would like to forward all my local traffic among all
> my local networks. My external interface is ppp0. My local network
> interfaces are eth0, eth1 and ath0.
>
> Previously, I was using these two forwarding rules:
> $IPTABLES -A FORWARD -i eth0 -o ath0 -j ACCEPT
> $IPTABLES -A FORWARD -i ath0 -o eth0 -j ACCEPT
> $IPTABLES -A FORWARD -i eth0 -o eth1 -j ACCEPT

That's three rules, not two. ;-)

> The first two rules to allow 192.168.0.0 and 192.168.5.0 networks to
> talk to each other.

Yes.

> The last rule is to allow 192.168.0.0 and
> 192.168.1.0 networks to talk to each other.

Actually it allows only forwarded traffic from eth0 to eth1, but not the
other way.

> So, I probably I have to
> write a pair of rules for each combination of the three networks. Is
> that right?

Yes. In some special cases you may also need to accept traffic forwarded
from an interface to itself. But do you trust your modem and ISP enough
to allow *any* traffic from the modem subnet ? I personnally would not
trust them more than the rest of the internet, so I would apply the same
rules as for the traffic on the PPP interface.

> I was also thinking that I may use the negation of match in iptables to
> allow all forwarding among non-ppp0 interfaces with a rule like this:
> $IPTABLES -A FORWARD -i !$EXTIF -o !$EXTIF -j ACCEPT
>
> Will the above work? It appears not to, looks like I am not doing
> something right.

Try to insert a space between the ! and the interface name.
Also, you could use a wildcard : e.g. ppp+ will match any interface name
starting with "ppp". However I don't like such negations in ACCEPT
rules, because if any other interface comes up for any reason (tunnel,
VPN...), all traffic will be accepted inconditionnally. Six rules are
not a big hassle.

Pascal Hambourg wrote:

>
> That's three rules, not two. ;-)

Yes. Was trying various rules while writing this message.


>
>> The first two rules to allow 192.168.0.0 and 192.168.5.0 networks to
>> talk to each other.
>
> Yes.
>
>> The last rule is to allow 192.168.0.0 and
>> 192.168.1.0 networks to talk to each other.
>
> Actually it allows only forwarded traffic from eth0 to eth1, but not the
> other way.

Ah, yes. Thanks.

>
>> So, I probably I have to
>> write a pair of rules for each combination of the three networks. Is
>> that right?
>
> Yes. In some special cases you may also need to accept traffic forwarded
> from an interface to itself. But do you trust your modem and ISP enough
> to allow *any* traffic from the modem subnet ? I personnally would not
> trust them more than the rest of the internet, so I would apply the same
> rules as for the traffic on the PPP interface.

Good point! I will do that.


>
>> I was also thinking that I may use the negation of match in iptables to
>> allow all forwarding among non-ppp0 interfaces with a rule like this:
>> $IPTABLES -A FORWARD -i !$EXTIF -o !$EXTIF -j ACCEPT
>>
>> Will the above work? It appears not to, looks like I am not doing
>> something right.
>
> Try to insert a space between the ! and the interface name.

Okay.

> Also, you could use a wildcard : e.g. ppp+ will match any interface name
> starting with "ppp". However I don't like such negations in ACCEPT
> rules, because if any other interface comes up for any reason (tunnel,
> VPN...), all traffic will be accepted inconditionnally. Six rules are
> not a big hassle.

True. If I image the networks as nodes in a graph, the for n networks I
would need n(n-1) rules in all?

thanks,
->HS

H.S. a écrit :
>
> If I image the networks as nodes in a graph, the for n networks I
> would need n(n-1) rules in all?

Not necessarily. It may be possible to factorize chains into policies.
For instance assume you define two types of networks : trusted (e.g.
internet) and untrusted (e.g. your LAN). Then you define four forwarding
policies based upon the types of the source and destination networks.

So you would have the following chains containing the fixed ruleset
enforcing each policy :

trusted_to_trusted
trusted_to_untrusted
untrusted_to_trusted
untrusted_to_untrusted

You also need two additional chains :

from_trusted
from_untrusted

Now for each interface $IFT connected to a trusted network, you would
add the following rules :

iptables -A FORWARD -i $IFT -j from_trusted
iptables -A from_trusted -o $IFT -j trusted_to_trusted
iptables -A from_untrusted -o $IFT -j untrusted_to_trusted

And for each interface $IFU connected to an untrusted network, you would
add the following rules :

iptables -A FORWARD -i $IFU -j from_untrusted
iptables -A from_trusted -o $IFU -j trusted_to_untrusted
iptables -A from_untrusted -o $IFU -j untrusted_to_untrusted

For instance, a packet coming from an untrusted network and destined to
a trusted network would be directed to the from_untrusted then to the
untrusted_to_trusted chain which determines its fate.

In this approach the rule count for n networks and t network types is
roughly n*(t+1), which scales better when n increases. Another advantage
is that when you create or delete a network interface you don't need to
care about the other existing interfaces, which is very valuable in
setups with multiple "dynamic" interfaces and networks such as PPP
links, VPNs, tunnels...

Pascal Hambourg wrote:
> H.S. a écrit :
>>
>> If I image the networks as nodes in a graph, the for n networks I
>> would need n(n-1) rules in all?
>
> Not necessarily. It may be possible to factorize chains into policies.
> For instance assume you define two types of networks : trusted (e.g.
> internet) and untrusted (e.g. your LAN). Then you define four forwarding
> policies based upon the types of the source and destination networks.
>
> So you would have the following chains containing the fixed ruleset
> enforcing each policy :
>
> trusted_to_trusted
> trusted_to_untrusted
> untrusted_to_trusted
> untrusted_to_untrusted
>
> You also need two additional chains :
>
> from_trusted
> from_untrusted
>
> Now for each interface $IFT connected to a trusted network, you would
> add the following rules :
>
> iptables -A FORWARD -i $IFT -j from_trusted
> iptables -A from_trusted -o $IFT -j trusted_to_trusted
> iptables -A from_untrusted -o $IFT -j untrusted_to_trusted
>
> And for each interface $IFU connected to an untrusted network, you would
> add the following rules :
>
> iptables -A FORWARD -i $IFU -j from_untrusted
> iptables -A from_trusted -o $IFU -j trusted_to_untrusted
> iptables -A from_untrusted -o $IFU -j untrusted_to_untrusted
>
> For instance, a packet coming from an untrusted network and destined to
> a trusted network would be directed to the from_untrusted then to the
> untrusted_to_trusted chain which determines its fate.
>
> In this approach the rule count for n networks and t network types is
> roughly n*(t+1), which scales better when n increases. Another advantage
> is that when you create or delete a network interface you don't need to
> care about the other existing interfaces, which is very valuable in
> setups with multiple "dynamic" interfaces and networks such as PPP
> links, VPNs, tunnels...


Wonderful comments! Thanks for the insights. I think as soon as I get
some free time on my hands, I am going to rewrite my iptables script
using this approach.
->HS