Linode Forum
https://forum.linode.com/

Using one Linode as a firewall/router for all others.
https://forum.linode.com/viewtopic.php?f=19&t=3193		 Page 2 of 2
Author:  JDM [ Fri Apr 04, 2008 3:34 pm ]
Post subject: 
geekman wrote:
Thanks. I realised I rebooted the router but not the other one. I also changed the interface of the new IP to eth0:1 just in case. Now i can see the port 80 requests coming in when I try and get to the new IP, though I can't see the router forwarding that request onto the actual server.


Have you actually set up IPTables to forward the traffic yet? I can't find anything mentioning that you did.

geekman wrote:
On top of this, although I used:
Code:
route add default gw 192.168.130.1xx



You shouldn't have to do that... just setting your gateway Linode's private IP as the gateway in /etc/network/interfaces should do the trick.

geekman wrote:
Looks kind of like it's doing a reverse lookup on the LAN IP maybe? I've not seen this before. And I would assume DNS lookups would be OK since I set the primary DNS as the router - though it could all be buggered if my routing is off I guess.


Is there actually a DNS server running on the gateway Linode? (there's not unless you've configured one)
Author:  geekman [ Fri Apr 04, 2008 8:32 pm ]
Post subject: 
Yeah I did actually realise this about DNS before I went to bed last night, haven't yet changed it. I know there's a simple app I can install on the router to allow it to cache DNS records. But really, if the routing for connection to the LAN works then I could simply use any DNS, so I'll probably just do that.

I meant to post my IPTables rules before I left but forgot. Here they are:

Routing rules:
Code:
    # Morpheus
        # HTTP
        iptables -t nat -A PREROUTING -d $morpheus -p TCP --dport 80 -j DNAT --to-destination $morpheus_lan:80
        # SSH
        iptables -t nat -A PREROUTING -d $morpheus -p TCP --dport 22 -j DNAT --to-destination $morpheus_lan:22


I was going to use interface instead of destination, but it didn't like eth0:1.

Firewall rules for secondary Linode:
Code:
        # Logging
        # Incoming Services
            # HTTP
            iptables -A FORWARD -j ACCEPT -d $morpheus -p TCP --dport 80 -m state --state NEW
            # SSH
            iptables -A FORWARD -j ACCEPT -d $morpheus -p TCP --dport 22 -m state --state NEW
       # Temporary Rules
       # Outgoing Services
           # Allow all outgoing traffic from the server. Needs to be tightened.
           iptables -A FORWARD -j ACCEPT -s $morpheus_lan


And just because it's easier for me this way...here's all the rules via iptables -L

Code:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
LOG        0    --  anywhere             anywhere            LOG level debug prefix `BANDWIDTH_IN:'
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:ssh state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:www state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:ftp state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:smtp state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:https state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:pop3 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:imap2 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:imaps state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:pop3s state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:svn state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:6666 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:4001 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:4000 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:7777 state NEW
ACCEPT     tcp  --  anywhere             theconstruct        tcp dpt:8806 state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp dpts:33434:33523 state NEW
ACCEPT     0    --  dsl-203-33-160-120.NSW.netspace.net.au  anywhere            state NEW
LOG        0    --  anywhere             anywhere            LOG level debug prefix `BANDWIDTH_OUT:'
LOG        0    --  anywhere             anywhere            LOG level debug prefix `BANDWIDTH_IN:'
ACCEPT     tcp  --  anywhere             morpheus            tcp dpt:www state NEW
ACCEPT     tcp  --  anywhere             morpheus            tcp dpt:ssh state NEW
ACCEPT     0    --  192.168.130.1xx (LAN IP of 2nd Linode)     anywhere 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
LOG        0    --  anywhere             anywhere            LOG level debug prefix `BANDWIDTH_OUT:'



Thanks!
Author:  geekman [ Fri Apr 04, 2008 10:52 pm ]
Post subject: 
I just had a thought, I originally figured since both LAN IP's and both WAN IP's are on the same subnet, I don't really need to setup rules to allow them to communicate right? As the router should just be taking the traffic and passing it onto the LAN, which can talk to the other box. Just making sure.

Some more info.

Code:

Router
------

eth0:

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:28:35.615679 IP dsl-203-33-160-120.NSW.netspace.net.au.4336 > morpheus.www: S 2302786697:2302786697(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:28:38.597072 IP dsl-203-33-160-120.NSW.netspace.net.au.4336 > morpheus.www: S 2302786697:2302786697(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:28:44.619361 IP dsl-203-33-160-120.NSW.netspace.net.au.4336 > morpheus.www: S 2302786697:2302786697(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>


eth0:1:

listening on eth0:1, link-type EN10MB (Ethernet), capture size 96 bytes
22:29:19.851338 IP dsl-203-33-160-120.NSW.netspace.net.au.4337 > morpheus.www: S 1453502692:1453502692(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:29:22.859050 IP dsl-203-33-160-120.NSW.netspace.net.au.4337 > morpheus.www: S 1453502692:1453502692(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:29:28.993963 IP dsl-203-33-160-120.NSW.netspace.net.au.4337 > morpheus.www: S 1453502692:1453502692(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>

(I realised I hadn't checked out eth1 before, so this probably has always had this output)
eth1:

listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
22:30:06.411563 IP dsl-203-33-160-120.NSW.netspace.net.au.4346 > 192.168.130.1xx.www: S 1773345872:1773345872(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:30:09.213987 IP dsl-203-33-160-120.NSW.netspace.net.au.4346 > 192.168.130.1xx.www: S 1773345872:1773345872(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>
22:30:15.150333 IP dsl-203-33-160-120.NSW.netspace.net.au.4346 > 192.168.130.1xx.www: S 1773345872:1773345872(0) win 65535 <mss 1412,nop,wscale 0,nop,nop,sackOK>

The LAN IP is that of the secondary Linode.

Secondary Linode
----------------

eth1:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes



It seems as though the arp stuff coming up before was the second Linode wanting to do
a reverse lookup on the routers LAN IP. Probably cause before I had the router set as it's DNS. So that makes me think that the traffic is
getting through.

Since it looks to me that eth1 on the router is infact being forwarded the traffic, annd
wants to pass it onto the secondary Linode, is this maybe not the routers fault?
Shrug. I can say that the secondary Linode does not have IPTables being used on it.
I can also verify that apache works fine locally on the second Linode.

Thanks.
Author:  JDM [ Sat Apr 05, 2008 9:11 am ]
Post subject: 
You'll have to use an SNAT or MASQUERADE command somewhere in your gateway.

Have you set the necessary sysctl in sysctl.conf (net.ipv4.conf.default.forwarding)? That's necessary for your Linode to actually forward any traffic.

Beyond this, I'm pretty much out of ideas.
Author:  geekman [ Sat Apr 05, 2008 9:59 am ]
Post subject: 
Well. I have this in from when I copied my firewall script at home; although it's not what you said, IIRC it was for the same thing. I however didn't have that line set, so I've just done it. Thanks.
Code:
echo 1 > /proc/sys/net/ipv4/ip_forward


Also picked this up from my router at home (which I could remember exactly what half these rules did). So I'll play around with that see what happens.

Code:
iptables --table nat --append POSTROUTING --out-interface 'eth0' --jump MASQUERADE
iptables --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu


When you say I'll need to use it somewhere, would you happen to know if that's Router to WAN traffic or LAN to LAN traffic? RTFM on IPTables again soon anyways.

Thanks for all the help!
Author:  geekman [ Sat Apr 05, 2008 9:48 pm ]
Post subject: 
Ok! Got it working. I realised I probably had to tell IPTables to use a different interface to communicate on. I also then remembered I had done the same thing on my home router, so heres what I added:

Code:
# For INPUT/OUTPUT chains.
iptables --insert OUTPUT 1 --source 0.0.0.0/0.0.0.0 --destination $morpheus_lan --jump ACCEPT --out-interface 'eth1'
iptables --insert INPUT 1 --source $morpheus_lan --destination 0.0.0.0/0.0.0.0 --jump ACCEPT --in-interface 'eth1'
# For FORWARD chains.
iptables --insert FORWARD 1 --source 0.0.0.0/0.0.0.0 --destination $morpheus_lan --jump ACCEPT --out-interface 'eth1'
iptables --insert FORWARD 1 --source $morpheus_lan --destination 0.0.0.0/0.0.0.0 --jump ACCEPT
iptables --table nat --append POSTROUTING --out-interface 'eth1' --jump MASQUERADE
iptables --append FORWARD --protocol tcp --tcp-flags SYN,RST SYN --jump TCPMSS --clamp-mss-to-pmtu


The only rule I _don't_ really get is the last one, but I took a guess thinking that maybe I needed that rule before the Secondary Linode could send ack packets, maybe not. But it works.

Despite being able to access the services on the second Linode, it still can't access the internet. I'm thinking probably those rules need some tweaking though.
Page 2 of 2 All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/