Route all traffic of a machine through another within a subnet?
You have three interfaces on computer B, that have addresses from the same subnet (192.168.1.0/24, am I right?).
Look at some of your iptables rules:
sudo iptables -A FORWARD -i $IF -o $IF --source $ADDR -j ACCEPT
- this rule says that you allow to route frometh2
toeth2
when packet comes from192.168.1.3
(without the information about netmask). This rule is completelly meaningless.sudo iptables -A FORWARD -i $IF -o $IF --destination $ADDR -m state --state ESTABLISHED,RELATED -j ACCEPT
- almost the same as above.You are setting the default rule for the chain
iptables -F INPUT ACCEPT
and then removeiptables -F INPUT
.
So, what I recommend:
On computer B all three interfaces should have addresses from different networks. If you need them in the same network it is better to bridge them (create a "multi-interface" that aggregates three all of them with one IP address).
Read more about iptables and try to understand it. It's quite simple. For example, when you have 192.168.1.0/24 network that connects computers A and B the easiest way is to make NAT like that (computer B):
iptables -t nat -A POSTROUTING -d 0/0 -s 192.168.1.0/24 -j MASQUERADE iptables -A FORWARD -s 192.168.1.0/24 -d 0/0 -j ACCEPT iptables -A FORWARD -s 0/0 -d 192.168.1.0/24 -j ACCEPT
- Or the easiest way - bridge all interfaces on computer B. Then you don't have to use NAT.
Update after question extending
The network architecture you have is not really made to work as you want to. The computer A should be connected to computer C via separated network than network connecting computer C with gateway (internet). But you have two solutions.
"The elegant way"
It is required that switch will be transparrent for vlan tagged ethernet frames (beacause I suppose you don't have managed switch with possibility to tag ports). If your switch supports 802.1q it should work like that.
You have to create vlan interfaces on computers A and C. For example
sudo vconfig add eth0 100
. This command wil create tagged interface eth0.100. On computer C execute a commandsudo vconfig add en1 100
. You will have interface en1.100. On virtual machine settings you need to bridge virtual interface ethX with en1.100. Do not assign any IP address to en1.100 (computer C) - it's not needed.Set addresses from the same network on eth0.100 (computer A) and ethX (virtual machine B). Let's say it will be 192.168.2.1/24 (computer A) and 192.168.2.2/24 (virtual machine B).
Virtual machine B must have one more interface that will be bridged to en1 on computer C (the untagged interface). Let's say it has address 192.168.1.3/24.
Now you need to configure NAT on virtual machine C:
iptables -t nat -A POSTROUTING -d 0/0 -s 192.168.2.0/24 -j MASQUERADE iptables -A FORWARD -s 192.168.2.0/24 -d 0/0 -j ACCEPT iptables -A FORWARD -s 0/0 -d 192.168.2.0/24 -j ACCEPT
- And add default gateway on computer A:
route add default gw 192.168.2.2
It should work.
The dirty way You can try the dirty way. It doesn't require vlans but it makes a little mess on the 3rd layer.
Computer A has interface eth0 with address 192.168.2.1/24.
Virtual machine B has two interfaces ethX and ethY. Both bridged to en1 (on computer C) in virtual machine settings.
Interface ethX has address 192.168.2.2/24. Interface ethY has address 192.168.1.3/24.
Apply the same commands that are on points 4 and 5 of elegant way.
It should also work.
The problem of your solution was that you were trying to route traffic from the same network to the same network. You can only route traffic between two logical IP networks (not from the same addressing range). If you need routing then you need to have two different networks - in this case 192.168.1.0/24 (the existing network) and 192.168.2.0/24 (the network connecting computer A and virtual machine B).
Related videos on Youtube
N. S.
Updated on September 18, 2022Comments
-
N. S. almost 2 years
I have two computers, both running ubuntu 12.04 64 bit. I need to route traffic of one computer through the other.
computer A: 192.168.1.3 (eth0) computer B: 192.168.1.7 (eth0), 192.168.1.5 (eth1), 192.168.1.6 (eth2)
I need these three interfaces in computer B to run my final experiments...
BTW computer B is running on a virtual machine on a separate host.
I change the default gw of computer A like this:
sudo sudo ip route del sudo ip route add default via 192.168.1.6
here is the output of
route -n
in computer A:Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.6 0.0.0.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0
Also I run this script in computer B:
#!/bin/bash IF="eth2" ADDR="192.168.1.3" sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward' sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_dynaddr' sudo iptables -P FORWARD DROP sudo iptables -F FORWARD sudo iptables -t nat -F sudo iptables -A FORWARD -i $IF -o $IF --source $ADDR -j ACCEPT sudo iptables -A FORWARD -i $IF -o $IF --destination $ADDR -m state --state ESTABLISHED,RELATED -j ACCEPT sudo iptables -t nat -A POSTROUTING -s $ADDR -j MASQUERADE
After these instructions computer A has no access to the internet!!
Do you have any idea about the problem and solution?
Edit 1
the default topology of the subnet is like this:
|--------------| | Comp C | |----------| eth0 |----------| en0| |----------| | | CompA |--------| switch |---------| | VM B | | |----------| |-----|----| | |----------| | | |--------------| | ( Internet ) ( )
update
computer A:
$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.2.2 0.0.0.0 UG 0 0 0 eth0.100 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0.100
virtual machine B:
eth0
is connected via nat.$ route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 172.16.233.2 0.0.0.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0 172.16.233.0 0.0.0.0 255.255.255.0 U 1 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 1 0 0 eth1 192.168.2.0 0.0.0.0 255.255.255.0 U 1 0 0 eth2
-
Thomas Ward about 7 yearsComments are not for extended discussion; this conversation has been moved to chat.