Home / server / Questions / 809947
In Process
Dharani Dharan
Asked: 2016-10-20 02:49:10 +0800 CST

How to make communication between Production network and Isolated Network using Linux machine as a router?

  • 772

I am creating a test environment. In Which i have a production network,isolated network and linux machine. In Linux machine having 2 NICs, one NIC is connected to production network environment then assigned a IP and another one is Isolated network.

PROD-------(eth0)[LINUXMACHINE](eth1)-----ISOALTED NETWORK

In the above representation, after configuring one NIC(eth0) , i can able to ping from production network machines to Linux Machine. Then am configured the eth1 to default gateway of the isolated network. After enabling eth1, can able to ping from and to Linux machine to Isolated env. Now I cant able to ping from Prod to Linux machine.If i am disabling the eth1 means, it will works otherwise it wont.

I am newbee to networking. I don't know exactly where is the issue and what i did wrong. I have enabled the following

IP Forwarding, MASQUERADE and some iptables rules

Anyone can suggest me a good way to make this work.

Thanks in advance

edited

ifconfig

eth0      Link encap:Ethernet  HWaddr 00:50:56:8f:68:e7  
          inet addr:192.168.108.13  Bcast:192.168.108.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe8f:68e7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:335609 errors:0 dropped:3107 overruns:0 frame:0
          TX packets:48332 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:131610506 (131.6 MB)  TX bytes:4424737 (4.4 MB)

eth1      Link encap:Ethernet  HWaddr 00:50:56:8f:0a:c6  
          inet addr:192.168.103.1  Bcast:192.168.103.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fe8f:ac6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18773 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35645 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1816084 (1.8 MB)  TX bytes:50940327 (50.9 MB)

iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 3 packets, 375 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   31  2604 DNAT       all  --  *      *       0.0.0.0/0            192.168.103.246      to:192.168.103.246

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1985  138K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           

Chain VL (0 references)
 pkts bytes target     prot opt in     out     source               destination

iptables -nvL

Chain INPUT (policy ACCEPT 49159 packets, 38M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 32 packets, 3393 bytes)
 pkts bytes target     prot opt in     out     source               destination         
13459  582K ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
21264   38M ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19109 1919K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0 


cat /proc/sys/net/ipv4/ip_forward 1
router linux iptables linux-networking isolated-network

3 Answers

  1. You are using the same subnet on both networks, essentially it's like it being the same network. First change this, for example using 192.168.109.0/255.255.255 as subnet for your testing lab and retry.

    Okay, now that you splited in two subnets, another thing i notice is that you have some firewalling rules and some NAT ones that to me at least do not make sense. Try flushing your iptables rules:

    iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

iptables -F
iptables -X
iptables -Z

    Then readd only the NAT one:

    iptables -t nat -A POSTROUTING -o eth0 -J MASQUERADE

    Then try pinging from a machine in the private lan a production one, thing should work.

    • 2

  2. As both interfaces are on same subnet , just bridge them by using below commands

    brctl addbr bridge1

    brctl addif bridge1 eth0

    brctl addif bridge1 eth1

    this should work

    • 2

  3. So as far as I understand you have following situation

    subnet1 ---> eth0 -Linux PC- eth1 <----subnet 2

    You are trying to use this Linux PC in the middle as a router between 2 subnets?

    In this case do 2 things:
    1) Disable iptables (just for test. You can enable them later and define your rules)
    2) Enable ip forwarding on Linux PC. Add this to your /etc/sysctl.conf

    ipv4.ip_forward = 1

    and run

    sysctl -p

    Now in subnet 1 on hosts which need access to subnet 2 you will need to setup static routes.

    Let's assume following subnets (based on your question)

    subnet 1 192.168.108.0/24 eth0 .13

    subnet 2 192.168.103.0/24 eth1 .1

    In this case on hosts in subnet 1 you will need to run this

    route add -net 192.168.103.0/24 gw 192.168.108.13

    And on hosts in subnet 2 you will need to run this

    route add -net 192.168.108.0/24 gw 192.168.103.1

    After this ping initiated from hosts in subnet 1 to hosts in subnet 2 should work. And vice versa.

    • 0