Home / server / Questions / 257739
Accepted
Antonius Bloch
Asked: 2011-04-10 09:31:54 +0800 CST

Splitting a subnet, and routing it on a two interface iptables firewall

  • 772

I have a two interface Linux iptables firewall. Currently I have several servers behind it on a private network 192.168.0.x. The firewall currently has each IP configured locally and uses NAT to port forward to the appropriate server, for example:

208.80.x.130:80 -> 192.168.0.130:80

My interfaces look something like this:

vlan1      Link encap:Ethernet  HWaddr 20:20:30:87:20:30
           inet addr:208.80.x.129  Bcast:208.80.x.159  Mask:255.255.255.224
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1140818 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1108086 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:462146250 (440.7 MiB)  TX bytes:590006065 (562.6 MiB)

vlan1:0    Link encap:Ethernet  HWaddr 20:20:30:87:20:30
           inet addr:208.80.x.130  Bcast:208.80.x.255  Mask:255.255.255.224
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

br0        Link encap:Ethernet  HWaddr 20:CF:30:87:EC:2F
           inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:1120674 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1105443 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:570011808 (543.6 MiB)  TX bytes:469174153 (447.4 MiB)

I have a /27 of IP addresses; 208.80.x.129-157 gateway 208.80.x.158. I'd like to split off a small subnet at the top end of that range, like a /29. I'm currently using ip's 129-141 so I don't want to touch those. My goal is to have a small vlan of routable addresses in addition to the natted addresses I currently serve.

    internets
       |
 208.80.x.158
  isp router
       |
 208.80.x.129-147
    firewall
     --+-------------------
     |                    |
192.168.0.x      208.80.x.148-156

How do I accomplish this?

routing vlan iptables route

2 Answers

  1. This is impossible with the current IP allocation your ISP has provided.

    1. First ask your ISP for a new routing block. This can just be a /30.

    2. Put the routing IP on the vlan1 interface.

    3. Put the pool of NAT IPs (.129 to 147) on your loopback so that your existing PREROUTING NAT rules continue to work.

    4. Put the 208.80.x.149/29 on br0. If you want this to be completely isolated from your existing LAN as a DMZ, then you could create a new VLAN for that.

    I've done this many times and it works great.

    • 1
  2. Best Answer

    I accomplished this by splitting the subnet in two, and asking my provider to move his gateway ip to an address in the first subnet. I put all the first subnet ips on the external interface. At this point the first (natted) subnet is up and working. Then I asked my isp to set a static route for the second subnet to my routers external ip. I added a vlan interface with an ip in the second subnet. At this point the second (routed) network is up and running.

    • 0