Linux Gateway: One network card how to masquerade from one subnet to another

linux iptables gateway

Good morning one and all. In our network we have a single Linux machine that has aliased IP addresses. Each of these IP addresses sit on a network controlled by a remote router to an ISP.

We want to use our Linux box as the gateway for our internal network (10.0.0.x) and for the Linux box to then forward the outgoing traffic to one of our routers on another network.

All things i have read is about masquerading between two physical interface cards; however we have only one network card, listening to multiple IP addresses.

On the Linux box itself; it can ping and access the internet fine using one of the routers as the upstream gateway.

So our configuration is as follows:

: Linux Box 
  eth0:0 = 10.0.0.5
  eth0:1 = 192.168.137.5
  GW: 192.168.137.1


: Router#1
  IP: 192.168.137.1
  Connection to internet via ISP


: Network Machines
  IP: 10.0.0.x
  GW: 10.0.0.5

So the question is, what is my setup for iptables/nat on the Linux box to allow it to accept packets on the 10.0.0.x subnet and route them out to the specific IP address configured for the gateway. When i try to use eth0:1 as my -d then iptables complains of invalid characters and from what I read on the internet, this was disabled in iptables (http://lkml.indiana.edu/hypermail/linux/net/9705.1/0016.html).

Can someone assist please? I am sure I am missing something real obvious here; all my historical knowledge has been two separate ethX network interfaces.

thank you

Update; here is the "hackity" iptables script

WIFIBACKUP=192.168.137.1

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat

echo 1 > /proc/sys/net/ipv4/ip_forward

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -s 10.0.0.0/32 -j REDIRECT --to $WIFIBACKUP

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

-d is for --destination, and expects an address (or net). If destination is "any", then simply don't specify it.

The redirect does not do NAT.
As you are using aliases, using -i and -o does not work. The workaround is to use -d and -s. You can negate with "!". So, for all traffic from 10.0.0.0/24, that has a destination that is NOT 10.0.0.0/24, do masquerade:

iptables -t nat -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE

Related

can't git rm a directory
SSH clients periodically freeze under Windows 7
Postgres application tries to use incorrect socket file
What is the purpose of a DNS server returning more than 1 A record?
Is there a security concern exposing NTLM authentication over http or should it only be https?
Web server is slow on port 80 but fast on port 81
SFTP server dmz vs trusted
Easiest way to start application before login?
What is the easiest way to get a EC2 public dns inside a running instance?
Prepend X-header to all relayed messages in Postfix
Read Only Domain Controller for standalone/off-site testing location
Erratic CPU usage by mscorsvw.exe (.NET Runtime Optimisation Service)