BatchyX already give some very good explanation about iptables and routing, so I will exercise my laziness and go directly to script.
It should NAT all traffic to port 80,443,22,4070 through 192.168.0.91. All the rest will NAT through 192.168.1.254.
I re-do my testing and end up following this guide. What is missing in that guide is the last 3 lines in my script. Which I found out from another port, but I lost track of that link.
It is a tested working script.
Need Default Route
One thing I did not put in the script is setting up the default route. It should be
route add default gw 192.168.1.254
When you do route -n
, it should be the only default route (Dest:0.0.0.0)
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1
fw-router.sh
# Reset/Flush iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#Reset/Flush/Setup IP Route (table 4)
ip route flush table 4
ip route show table main | grep -Ev ^default | while read ROUTE ; do ip route add table 4 $ROUTE ; done
ip route add table 4 default via 192.168.0.1
#Mark Packet with matching D.Port
iptables -t mangle -A PREROUTING -p tcp --dport 22 -s 10.0.0.0/24 -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -p tcp --dport 80 -s 10.0.0.0/24 -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -p tcp --dport 443 -s 10.0.0.0/24 -j MARK --set-mark 4
iptables -t mangle -A PREROUTING -p tcp --dport 4070 -s 10.0.0.0/24 -j MARK --set-mark 4
#SNAT Rules
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 192.168.1.74
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 192.168.0.91
#IP Route
ip rule add fwmark 4 table 4
ip route flush cache
#IP Stack
#This is the missing part from the guide
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 0 > $f ; done
echo 0 > /proc/sys/net/ipv4/route/flush
PS1: In short, MASQUERADE
does not work (in most case, and definitely in your case) for NAT with multiple external IPs that need some kind of load balancing or need DNAT to handle incoming traffic. You need SNAT
for direction control.
PS2: Pure iptables is not sufficient.
Best Answer
Setting
ip_forward
allows packet forwarding in general. Some Linux distributions may disallow forwarded packets iniptables
for security reasons, e.g. ifip_forward
is set by error.sets a rule to allow packets from
eth0
toeth1
that are responses or similary related packets to an already established connection.sets an explicit rule to allow packets from
eth1
toeth0
.This allows clients from
eth1
to access servers behindeth0
regardless of the defaultiptables
configuration.