On Sat, Apr 3, 2010 at 5:47 AM, Jeetu Golani <jeetu.gol...@gmail.com> wrote: > Hi, > > I have a Debian system that I am trying to configure as a router for a MPLS > VPN setup. I'm having trouble setting up the iptables rules to forward > internet traffic from remote locations. Admittedly this isn't my forte > therefore I would sincerely appreciate any help :) > > Network Description: > At the head office, the ISP facing router has two physical NICs (eth0 and > eth1). > > eth0 is connected to the head office "local" LAN 192.168.0.0/24. > > eth1 has two VLAN interfaces 105 and 689 (vlan105 and vlan689) > connecting to the Service Provider's (SP) Network > Termination Unit (NTU) > > vlan105 carries VPN traffic coming in from remote locations e.g two > LANs subnets over MPLS VPN (a) 192.168.1.0/24 and (b) 172.16.0.0/16 > > vlan689 carries company <> INTERNET traffic > > Internet access for "remote" locations, all Internet traffic comes to > above router over vlan105 sub interface and have it SNAT'd/Masquerade > to the Internet over vlan689 interface. > --------------------- > > The following is the iptables script I have tried however it doesn't work: > > INTIF1="eth0" # physical interface for local LAN > INTIF2="vlan105" # VLAN iface for VPN traffic to remote location > EXTIF="vlan689" # VLAN iface for INTERNET traffic > EXTIP="x.x.x.x" #public IP for our CE router > > /sbin/depmod -a > /sbin/modprobe ip_tables > /sbin/modprobe ip_conntrack > /sbin/modprobe ip_conntrack_ftp > /sbin/modprobe ip_conntrack_irc > /sbin/modprobe iptable_nat > /sbin/modprobe ip_nat_ftp > echo "1" > /proc/sys/net/ipv4/ip_forward > #echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > iptables -P INPUT ACCEPT > iptables -F INPUT > iptables -P OUTPUT ACCEPT > iptables -F OUTPUT > iptables -P FORWARD DROP > iptables -F FORWARD > > iptables -t nat -F > > # for Matunga subnet 192.168.0.0/24 > iptables -A FORWARD -i $EXTIF -o $INTIF1 -d 192.168.0.0/24 -m state -- > state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i $INTIF1 -o $EXTIF -s 192.168.0.0/24 -m -j > ACCEPT
First look through - you don;t allow new connections, only established and related ! usually - what I do is have the established,related line - not limited by interface or address at the top - sort of a short circuit catch all. Then do the limiting with the NEW connections statements. > > # for Silvassa subnet 172.16.0.0/16 > iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 172.16.0.0/16 -m state --state > ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 172.16.0.0/16 -m -j ACCEPT > > # for Colaba subnet 192.168.1.0/24 > iptables -A FORWARD -i $EXTIF -o $INTIF2 -d 192.168.1.0/24 -m state -- > state ESTABLISHED,RELATED -j ACCEPT > iptables -A FORWARD -i $INTIF2 -o $EXTIF -s 192.168.1.0/24 -m -j > ACCEPT > > iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > > -------------------------------------------- > > Would sincerely appreciate any help. Thanks > > Bye for now > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/201004030017.21516.jeetu.gol...@gmail.com > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/g2v836a6dcf1004031605w91dcbb1em64c49c02daff9...@mail.gmail.com
