I'm putting a new router on our network to help manage our private network connections and to better control routing to the outside. I've decided to simplify this question by removing references to a second private network on our router (but please be aware that there are reasons for this question so the answer is not to leave the old router the default gateway).
I have the following routing in my iptables on our router:
# Allow established connections, and those !not! coming from the public interface
# eth0 = public interface
# eth1 = private interface #1 (129.2.2.0/25)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the private interface
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Masquerade (NAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Don't forward any other traffic from the public to the private
iptables -A FORWARD -i eth0 -o eth1 -j REJECT
This configuration means that users will be forwarded through a modem/router that has a public address - this is all well and good for most purposes, and in the main it doesn't matter that all computers are hidden behind the one public IP.
However, some users need to be able to access a proxy at 192.111.222.111:8080 - and the proxy needs to identify this traffic as coming through a gateway at 129.2.2.126 (the old router) - it won't respond otherwise.
I tried adding a static route on our router with:
route add -host 192.111.222.111 gw 129.2.2.126 dev eth1
I can successfully ping 192.111.222.111 from the router. When I trace the route, it lists the 129.2.2.126 gateway, but I just get *** on each of the following hops (I think this makes sense since this is just a web-proxy and requires authentication).
When I try to ping this address from a host on the 129.2.2.0/25 network it fails.
Should I do this in the iptables chain instead? How would I configure this routing?
Network diagram
Here is the interfaces configuration for the router:
auto eth0
iface eth0 inet static
address 150.1.2.2
netmask 255.255.255.248
gateway 150.2.2.1
auto eth1
iface eth1 inet static
address 129.2.2.125
netmask 255.255.255.128
And here is the routing table (without my static route added):
Destination Gateway Genmask Flags Metric Ref Use Iface
default eth1202.sa.adsl 0.0.0.0 UG 100 0 0 eth0
localnet * 255.255.255.0 U 0 0 0 eth1
129.2.2.0 * 255.255.255.128 U 0 0 0 eth1
To restate - I want traffic from 129.2.2.7 (for example) to now route through our router (129.2.2.125). But this router needs to then forward 8080 requests with the destination of 192.111.222.111 - which is somewhere the other side of the old router (129.2.2.126 - which is not manageable by us).
What you are attempting to do is entirely possible and indeed is a quite often used technique. You also have got most of the setup right already. What you might be missing is an "ACCEPT" rule at "new router" allowing traffic flows from eth1 to eth1. Just add it using
It should be sufficiently safe not to circumvent any of the rules and security measures in place and yet be generic enough to allow any of your network's clients and protocols. Once you've done setting up and troubleshooting, you could restrict the rule to the protocols and destinations you are going to use:
Note that in the typical case, you hardly would see any traffic flow through the "new router" for 192.111.222.111. Linux happily would issue ICMP redirect messages informing your subnet's hosts to use "old router" for traffic to 192.111.222.111 at the first packet occurrence. And most hosts would follow (assuming they got the message - i.e. it has not been filtered anywhere) and send all subsequent packets to 192.111.222.111 directly via "old router".
If you're routing to a specific host, I don't think that using netmask is correct. Specifying 0.0.0.0 would imply a default gateway for all traffic since that mask would match ALL IPv4 IPs.
In fact, a full 255.255.255.255 is kind of necessary for a single host matching rule.
And perhaps it is obvious, but you must specify a gateway that is on a directly-connected network covered by your existing routing table.
In working with iptables and routing, I'd suggest setting up a LOG rule to send dropped packets to a log. That will tell you if you're dropping packets that might only appear to be routing problem.
This sets up a LOGDROP chain.
And then at the end of various chains that you want to log, you jump to the LOGDROP chain at the end:
Instead of simply dropping the packets. Various LOGDROP chains with different labels will allow you to get more granularity in understanding what you're seeing.