A question about the Internet/ConnectionSharing (NAT) via iptables

Question

I'm following this tutorial to setup a NAT gateway: https://help.ubuntu.com/community/Internet/ConnectionSharing#Ubuntu_Internet_Gateway_Method_.28iptables.29

With simple eth0 as WAN and eth1 as LAN it works. Then I tried to bridge eth1 and eth2 into br0 as LAN, and modified the script a little bit:

sudo iptables -A FORWARD -o eth0 -i **br0** -s 192.168.0.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This is not working as expected. The result is only clients connected to eth1 is able to go through the NAT.

Basically I want all clients connected to eth1 and eth2 are in same LAN and they both can go through the NAT to internet.

Did I make any mistake in the script? Thanks!

Update #1:

Here is my configuration:

wexia@ubuntu12:/etc$ ifconfig -a
br0       Link encap:Ethernet  HWaddr 00:15:5d:83:5f:0c  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::215:5dff:fe83:5f0c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:560 (560.0 B)  TX bytes:7454 (7.4 KB)

eth0      Link encap:Ethernet  HWaddr 00:15:5d:83:5f:07  
          inet addr:10.122.122.97  Bcast:10.122.123.255  Mask:255.255.254.0
          inet6 addr: 2001:4898:20:1:215:5dff:fe83:5f07/64 Scope:Global
          inet6 addr: 2001:4898:20:1:2d00:ef97:5f57:33d9/64 Scope:Global
          inet6 addr: fe80::215:5dff:fe83:5f07/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:78422 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2591 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:11743173 (11.7 MB)  TX bytes:479989 (479.9 KB)

eth1      Link encap:Ethernet  HWaddr 00:15:5d:83:5f:0c  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:390 errors:0 dropped:0 overruns:0 frame:0
          TX packets:316 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:26740 (26.7 KB)  TX bytes:41439 (41.4 KB)

eth2      Link encap:Ethernet  HWaddr 00:15:5d:83:5f:0e  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:64 errors:0 dropped:0 overruns:0 frame:0
          TX packets:483 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3702 (3.7 KB)  TX bytes:57163 (57.1 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1278 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1278 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:139832 (139.8 KB)  TX bytes:139832 (139.8 KB)

wexia@ubuntu12:/etc$ brctl show
bridge name bridge id       STP enabled interfaces
br0     8000.00155d835f0c   no      eth1
                            eth2
wexia@ubuntu12:/etc$ cat network/interfaces 
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp

auto br0
iface br0 inet static
bridge_ports eth1 eth2
  address 192.168.1.1
  netmask 255.255.255.0

score 0 · Accepted Answer · answered May 08 '14 at 03:15

0

Make sure that all the interfaces involved with the bridge are set to up. (It's possible to have an interface as part of a bridge, but not have it set to being up, so no traffic will go through that "port").

sudo ifconfig eth1 up
sudo ifconfig eth2 up
sudo ifconfig br0 up

Also, check your work on the bridge to make sure it has the interfaces you are expecting:

sudo brctl show

Make sure that you have the LAN IP address assigned on the bridge interface instead of either of the ethernet interfaces that are part of the bridge/switch:

ifconfig eth1
ifconfig eth2

(Neither of them should list an IP address). If one of them does, try something like:

sudo ip addr del 192.168.0.1/24 dev eth1

Make sure your bridge interface does have it:

ifconfig br0

(It should list the address). If it does not have the address, do this:

 sudo ip addr add 192.168.0.1/24 dev br0

Another thing I would try checking: See if any clients attached to eth2 can ping anything on eth1. If so, then the bridge and interfaces (and their up/down state) is probably set up right, and I would look at the IPtables rules. If they can't talk to each other, than it's probably not with IPtables, and probably something with the bridge or interfaces that are part of it.

answered May 08 '14 at 03:15

Azendale

12,031

Unfortunately I still have the problem on br0. The iptables part should be OK.
When br0 is on, clients on eth2 cannot even ping the gateway (192.168.0.1). They cannot ping clients on eth1 too.

If I del br0 and assign a static ip to eth2, then clients on eth2 can ping the gateway.

I was following this guide to configure br0: https://help.ubuntu.com/community/NetworkConnectionBridge except my br0 has a static ip:

iface eth1 inet manual iface eth2 inet manual

auto br0 iface br0 inet static bridge_ports eth0 eth1 address 192.168.0.1 netmast 255.255.255.0
– Wei Xia May 08 '14 at 18:44
I'm fairly certain you don't even need to mention eth1 and eth2 in /etc/network/interfaces. (Just a note, for details like the contents of that file or other configuration details, I would edit your question to include them, and then just comment that you updated the question). Could you please edit your question with the output of brctl show and ifconfig -a? – Azendale May 09 '14 at 18:24
Hi, I removed eth1 and eth2 from /etc/network/interfaces and restarted networking but it doesn't help... Configurations edited in the question (thanks for the hint). I changed all 192.168.0.x to 192.168.1.x btw – Wei Xia May 09 '14 at 22:46
just to make sure, you also changed the -i **br0** -s 192.168.0.0/24 part of the iptables command to -i br0 -s 192.168.1.0/24? – Azendale May 09 '14 at 22:59
I'm assuming the stars in the original were you just trying to bold br0? I also assume you changed the setting for forwarding in /etc/sysctl.conf? Another thing you might add for debugging purposes is the output of iptables-save. I don't see anything wrong yet, but I've done this stuff a lot myself, so I'm expecting myself to have an "aha! that's got to be it" moment anytime now. What do you have connected to each port of the two your are trying to bridge? Individual clients? Switches? – Azendale May 09 '14 at 23:11
Now it turns out that the configuration on that server is flawless... It is the switch attached to eth1 and eth2 causing problems. I was testing this configuration on virtual machines (hyper-v). After switching to physical machines and physical switches, everything is working fine now. :) – Wei Xia May 10 '14 at 07:37
@sunmast Glad you got it working! I guess that explains why it seemed like it had to be something easy but I wasn't seeing anything wrong with the setup yet. If you click the green check next to this answer and click the up arrow next to it, it will mark the question as solved and give me credit for the answer (yes, I know I'm slightly selfish ;-) – Azendale May 10 '14 at 17:49
I clicked the check but cannot click the up arrow because it needs 15 reputation which I don't have... But I really appreciate your help! Thank you! – Wei Xia May 10 '14 at 20:18

A question about the Internet/ConnectionSharing (NAT) via iptables

1 Answers1