Making a LAN Gateway out of bracton is important for appropriately isolating research machines from the internet. On the downside, it's a pain in the butt.
First, I installed dnsmasq on bracton. This provides a DNS server for the local LAN. Next, comes configuring the bracton machine to forward packets, and then enabling the firewall to forward packets too.
Setting forwarding to be enabled
sprinkjm@bracton:/etc/sysconfig$ cat /etc/sysctl.conf | grep net.ipv4 net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.tcp_syncookies = 1
I've edited the file to enable ip_forward (since it is now equal to 1). However, I'm still not sure why the default for accept_source_route is not true. Anyway, continuing.
Enabling iptables to forward all packets from one card to another
The bracton machine has 4 ethernet cards, eth3 is the actual internet address, and eth2 is connected to the internal lab machines.
Below, you find the source of iptables.
# Manual customization of this file is not recommended.
# ...but it was hand-edited by J. Sprinkle anyway
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth3 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth3 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -i eth2 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth2 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
#-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-P INPUT DROP
COMMIT
Note that some lines are commented out, since they were preventing packets from being routed. The default rule is to drop packets if they don't match any of the above. Also note that port 53 (DNS) is opened, so that dnsmasq can provide lab IP's to my machines.
All that's left to do is restart iptables, and test.
sprinkjm@bracton:~$ sudo /etc/init.d/iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter nat mangl[ OK ]
iptables: Unloading modules: FATAL: Module nf_conntrack_ipv4 is in use.
FATAL: Module xt_state is in use.
FATAL: Module xt_tcpudp is in use.
FATAL: Module ip6t_ipv6header is in use.
FATAL: Module ip6t_REJECT is in use.
FATAL: Module ip6t_ipv6header is in use.
FATAL: Module ip6table_filter is in use.
FATAL: Module ip6_tables is in use.
FATAL: Module x_tables is in use.
FATAL: Module nf_conntrack_ipv6 is in use.
FATAL: Module xt_state is in use.
FATAL: Module nf_conntrack is in use.
[FAILED]
This failure is not surprising. I have turned on verbose failure information in the iptables configuration so that I can see why it fails.
# The extra test is for 2.6: The module might have autocleaned,
# after all referring modules are unloaded.
if grep -q "^${mod}" /proc/modules ; then
modprobe -r $mod # > /dev/null 2>&1
let ret+=$?;
fi
Wait a few seconds, and stop again, until everything says it is successful.
sudo /etc/init.d/iptables stop sudo /etc/init.d/iptables start