Have you actually set up IPTables to forward the traffic yet? I can't find anything mentioning that you did.



You shouldn't have to do that... just setting your gateway Linode's private IP as the gateway in /etc/network/interfaces should do the trick.



Is there actually a DNS server running on the gateway Linode? (there's not unless you've configured one)

Yeah I did actually realise this about DNS before I went to bed last night, haven't yet changed it. I know there's a simple app I can install on the router to allow it to cache DNS records. But really, if the routing for connection to the LAN works then I could simply use any DNS, so I'll probably just do that.

I meant to post my IPTables rules before I left but forgot. Here they are:

Routing rules:

    # Morpheus
        # HTTP
        iptables -t nat -A PREROUTING -d $morpheus -p TCP --dport 80 -j DNAT --to-destination $morpheus_lan:80
        # SSH
        iptables -t nat -A PREROUTING -d $morpheus -p TCP --dport 22 -j DNAT --to-destination $morpheus_lan:22

I was going to use interface instead of destination, but it didn't like eth0:1.

Firewall rules for secondary Linode:

        # Logging
        # Incoming Services
            # HTTP
            iptables -A FORWARD -j ACCEPT -d $morpheus -p TCP --dport 80 -m state --state NEW
            # SSH
            iptables -A FORWARD -j ACCEPT -d $morpheus -p TCP --dport 22 -m state --state NEW
       # Temporary Rules
       # Outgoing Services
           # Allow all outgoing traffic from the server. Needs to be tightened.
           iptables -A FORWARD -j ACCEPT -s $morpheus_lan

And just because it's easier for me this way...here's all the rules via iptables -L

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
LOG        0    --  anywhere             anywhere            LOG level debug prefix `BANDWIDTH_IN:'
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:ssh state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:www state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:ftp state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:smtp state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:https state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:pop3 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:imap2 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:imaps state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:pop3s state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:svn state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:6666 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:4001 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:4000 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:7777 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:8806 state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpts:33434:33523 state NEW
ACCEPT     0    --  dsl-203-33-160-120.NSW.netspace.net.au  anywhere            state NEW
LOG        0    --  anywhere             anywhere            LOG level debug prefix `BANDWIDTH_OUT:'
LOG        0    --  anywhere             anywhere            LOG level debug prefix `BANDWIDTH_IN:'
ACCEPT     tcp  --  anywhere             morpheus            tcp dpt:www state NEW
ACCEPT     tcp  --  anywhere             morpheus            tcp dpt:ssh state NEW
ACCEPT     0    --  192.168.130.1xx (LAN IP of 2nd Linode)     anywhere 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level debug prefix `BANDWIDTH_OUT:'

Thanks!

I just had a thought, I originally figured since both LAN IP's and both WAN IP's are on the same subnet, I don't really need to setup rules to allow them to communicate right? As the router should just be taking the traffic and passing it onto the LAN, which can talk to the other box. Just making sure.

Some more info.

Router
------

eth0:

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:28:35.615679 IP dsl-203-33-160-120.NSW.netspace.net.au.4336 > morpheus.www: S 2302786697:2302786697(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:28:38.597072 IP dsl-203-33-160-120.NSW.netspace.net.au.4336 > morpheus.www: S 2302786697:2302786697(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:28:44.619361 IP dsl-203-33-160-120.NSW.netspace.net.au.4336 > morpheus.www: S 2302786697:2302786697(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>


eth0:1:

listening on eth0:1, link-type EN10MB (Ethernet), capture size 96 bytes
22:29:19.851338 IP dsl-203-33-160-120.NSW.netspace.net.au.4337 > morpheus.www: S 1453502692:1453502692(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:29:22.859050 IP dsl-203-33-160-120.NSW.netspace.net.au.4337 > morpheus.www: S 1453502692:1453502692(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:29:28.993963 IP dsl-203-33-160-120.NSW.netspace.net.au.4337 > morpheus.www: S 1453502692:1453502692(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>

(I realised I hadn't checked out eth1 before, so this probably has always had this output)
eth1:

listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
22:30:06.411563 IP dsl-203-33-160-120.NSW.netspace.net.au.4346 > 192.168.130.1xx.www: S 1773345872:1773345872(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:30:09.213987 IP dsl-203-33-160-120.NSW.netspace.net.au.4346 > 192.168.130.1xx.www: S 1773345872:1773345872(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:30:15.150333 IP dsl-203-33-160-120.NSW.netspace.net.au.4346 > 192.168.130.1xx.www: S 1773345872:1773345872(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>

The LAN IP is that of the secondary Linode.

Secondary Linode
----------------

eth1:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes

It seems as though the arp stuff coming up before was the second Linode wanting to do
a reverse lookup on the routers LAN IP. Probably cause before I had the router set as it's DNS. So that makes me think that the traffic is
getting through.

Since it looks to me that eth1 on the router is infact being forwarded the traffic, annd
wants to pass it onto the secondary Linode, is this maybe not the routers fault?
Shrug. I can say that the secondary Linode does not have IPTables being used on it.
I can also verify that apache works fine locally on the second Linode.

Thanks.

You'll have to use an SNAT or MASQUERADE command somewhere in your gateway.

Have you set the necessary sysctl in sysctl.conf (net.ipv4.conf.default.forwarding)? That's necessary for your Linode to actually forward any traffic.

Beyond this, I'm pretty much out of ideas.

Well. I have this in from when I copied my firewall script at home; although it's not what you said, IIRC it was for the same thing. I however didn't have that line set, so I've just done it. Thanks.

echo 1 > /proc/sys/net/ipv4/ip_forward

Also picked this up from my router at home (which I could remember exactly what half these rules did). So I'll play around with that see what happens.

iptables --table nat --append POSTROUTING --out-interface 'eth0' --jump MASQUERADE
iptables --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

When you say I'll need to use it somewhere, would you happen to know if that's Router to WAN traffic or LAN to LAN traffic? RTFM on IPTables again soon anyways.

Thanks for all the help!

Ok! Got it working. I realised I probably had to tell IPTables to use a different interface to communicate on. I also then remembered I had done the same thing on my home router, so heres what I added:

# For INPUT/OUTPUT chains.
iptables --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination $morpheus_lan --jump ACCEPT --out-interface 'eth1'
iptables --insert INPUT 1 --source $morpheus_lan --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface 'eth1'
# For FORWARD chains.
iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination $morpheus_lan --jump ACCEPT --out-interface 'eth1'
iptables --insert FORWARD 1 --source $morpheus_lan --destination 0.0.0.0/0.0.0.0 --jump ACCEPT
iptables --table nat --append POSTROUTING --out-interface 'eth1' --jump MASQUERADE
iptables --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu

The only rule I _don't_ really get is the last one, but I took a guess thinking that maybe I needed that rule before the Secondary Linode could send ack packets, maybe not. But it works.

Despite being able to access the services on the second Linode, it still can't access the internet. I'm thinking probably those rules need some tweaking though.