Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
vetash2014-07-18 20:32:09
linux
vetash, 2014-07-18 20:32:09

How to force packets to pass from vlan 1 to vlan X?

We have:
Vlan1 with network 192.168.20.0/24
Vlan 50 with network 10.10.20.0/24
Machine on Debian 7 with configuration:
eth0:
192.168.20.7/24
vlan50 (eth0.50):
10.10.20.7/24
eth2: (internal network )
192.168.3.0/24
Iptables:

#!/bin/sh
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A INPUT -i lo -j ACCEPT

iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth2 -o vlan50 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.3.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o vlan50 -s 192.168.3.0/24 -j MASQUERADE

iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i vlan50 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth0 -o eth2 -j REJECT
iptables -A FORWARD -i vlan50 -o eth2 -j REJECT

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Traffic flies from the machine both to 192.168.20.0/24 (eth0,vlan1) and 10.10.20.0/24 (eth0,vlan50), packets also go to 192.168.20.0/24 from the internal subnet 192.168.3.0/24, however they don't want to go to 10.10.20.0/24 (vlan 50). Maybe some specific setting is needed for this configuration?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
V
vetash, 2014-08-07
@vetash

Understood the problem in general - was not attentive. when creating interfaces in vlans. Iptables worked out the rules perfectly, it just got confused in the syntax of the interfaces. When creating an interface via vconfig, the interface will be called vlanXXX, when creating an interface via /etc/init.d/networking, interfaces can be called both eth0.XXX and vlanXXX. As you understand, the problem was that in the rules I wrote:
iptables -t nat -A POSTROUTING -o vlan50 -s 192.168.3.0/24 -j MASQUERADE
And I had to
iptables -t nat -A POSTROUTING -o eth0.50 -s 192.168.3.0/24 -j MASQUERADE
In the end, having raised the virtual machine and worked out everything I needed on it, I managed to achieve the desired result. Thanks to all!)

Report
S
Sergey Petrikov, 2014-07-19
@RicoX

And so, judging by tcpdump, the packets go to 10.10.20.200, but there is no answer, there are 2 options:
1) The problem is in the firewall on the target machine (10.10.20.200), disable it, try without it.
2) The problem is in routing from 10.10.20.200, post a dump when you ping back from 10.10.20.200 to 192.168.3.2

Similar questions
M
Misha Yagudin2018-02-06 22:47:12
How to set xterm window size on startup? 1Reply
S
smartup2011-03-15 18:07:08
How to fight (find and destroy) a rootkit on a Linux server (in my case, Ubuntu Server)? 10Reply
N
n4ela2011-03-18 19:36:41
Setting up a home git server? 3Reply
S
schastny2011-03-18 20:33:21
Mounting UFS2 on Linux? 3Reply
S
Stanislav Lutovinov2020-04-19 20:10:16
How to forward IPv4 ports from VPS to IPv6 behind NATv4 provider? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question