CentOS - IPTables - Allow nodes on subnet full access

centos iptables routing subnet

35,077

Thanks to suggestions from comments and some info from linode tech support, I was able to resolve the connection issue.

To solve the problem, I needed to ensure that both server1 and server2 had the proper, private subnet entries for iptables:

iptables -A INPUT -s 192.168.132.0/17 -j ACCEPT

After making this entry on both servers, I could then telnet to server2:1337 (from server1) and monitor the bytes/packets via iptables and see that indeed, packets are being accepted:

$ -> telnet 192.168.132.97 1337
Trying 192.168.132.97...
Connected to 192.168.132.97.
Escape character is '^]'.

$ -> iptables -L -vn
Chain INPUT (policy DROP 337 packets, 18695 bytes)
pkts bytes target     prot opt in     out     source               destination
56 30019 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
53 40539 ACCEPT     all  --  *      *       192.168.128.0/17     0.0.0.0/0

The problem now is that I am using nginx as a load balancer, and it was using server2 dns entry, which I assume defaults to the public ip, which is not part of the iptables ruleset, nor should it be, otherwise I have to enter in every single ip on the private network to allow access to port 1337. However this issue is for another question, as the OP has been resolved.

-- Update --

Updating this answer in case anyone else stumbles across it in the future. I opted going with this solution; DNS Stealth. By adding the DNS capability to one of my VPS, I can add all the internal ips, and the external ips, so all my internal iptable configs should work as expected, while still allowing remote access to any of the vps via their public ip.

35,077

Mike Purcell

We are working on the next big social media project. If you are interested in the project drop me a line @ [email protected].

Updated on September 18, 2022

Comments

Mike Purcell almost 2 years
I am using linode.com and they provide the ability to assign a private IP to each vps. What I am trying to do is setup each node's firewall to allow access from other nodes on the network, but I don't seem to have much success.

For example, I am trying to allow access to server1:1337 from server2, both are setup as follows:
```
server1:
   ifcfg-eth0:
     DEVICE="eth0"
     IPADDR="1.1.1.1"
     NETMASK="255.255.255.0"

   ifcfg-eth0:0:
     DEVICE="eth0:0"
     IPADDR="192.168.132.96"
     NETMASK="255.255.128.0"

server2:
   ifcfg-eth0:
     DEVICE="eth0"
     IPADDR="1.1.1.2"
     NETMASK="255.255.255.0"

   ifcfg-eth0:0:
     DEVICE="eth0:0"
     IPADDR="192.168.132.97"
     NETMASK="255.255.128.0"
```
And the IPTables ruleset on server1:
```
#-----
# Flush all current rules from iptables#
#-----
iptables -F
iptables -F -t nat
#-----

#-----
# Set access for localhost
#-----
iptables -A INPUT -i lo -j ACCEPT

# !! Tried to allow all nodes on the subnet access to everything, but still didn't work !!
iptables -A INPUT -s 192.168.132.0/17 -j ACCEPT
#-----

#-----
# Accept packets belonging to established and related connections
#-----
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-----

# !! Tried to allow access to the port directly !!
iptables -A INPUT -i eth0:0 -p tcp -s 192.168.132.0/17 --dport 1337 -j ACCEPT 

#-----
# Lock everything down
#-----
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#-----
```
I did stumble across a couple of old forums stating that iptables cannot use the -i eth0:0 call, as the virtual settings share parent settings, but I wasn't able to confirm this fully.

--Edit--

I've also added the private subnet (192.168.132.0/17) to server2, but still can't get it to connect.
- Mekong almost 11 years
  
  I hope, all commands without errors. Look at working firewall and rule counters after it by iptables -vL
- Christopher Perrin almost 11 years
  
  do you have a route from 192.168.132.96 to 192.168.132.97?
- ALex_hha almost 11 years
  
  Why do you use so strange network mask on eth0:0? I will suggest to run tcpdump on server 1 on port 1337 and try to connect from server2 (for e.g. via telnet)
- user9517 almost 11 years
  
  IF you disable iptables can you connect ?
- Mike Purcell almost 11 years
  
  @Iain: Ya can connect np with iptables off. I added the private subnet to both servers iptables rules, and can connect via telnet, but can't connect via the native service (httpd etc).
- user9517 almost 11 years
  
  Are you sure you're connecting via the private ip address then ? Try using wget --bind-address=privateaddress ... and wget --bind-address=publicaddress ... to check.
- Mike Purcell almost 11 years
  
  @Iain: Good suggestion. I issued the following wget --bind-address 192.168.132.96 http://192.168.132.97:1337, and was able to connect via the private subnet, but when I go through the browser I am still getting a bad gateway, which leads me to believe it is a config issue with nginx, as I have it setup as a load-balancer using the upstream directive.
- Mike Purcell almost 11 years
  
  The problem is indeed in the nginx config, in my upstream directive I have: upstream example.com { server server2:1337; }, when I changed to internal ip it worked. I need to look into how to handle this so I don't have to add entries by ip address, but rather hostname, and still use internal network.