[CentOS] CentOS as a router

Fri Aug 7 16:40:32 UTC 2009
Filipe Brandenburger <filbranden at gmail.com>

Hi,

On Fri, Aug 7, 2009 at 12:07, James B. Byrne<byrnejb at harte-lyne.ca> wrote:
> The host configuration has the WAN attached to eth0 (IP_ADDR = A)
> and the LAN attached to eth1 (IP_ADDR = B).  The default gateway for
> B is A.  The default gateway for B is B-1.

This statement does not make any sense to me... Could you please use
real IPs where possible and fake IPs (be consistent) where you don't
want to disclose your private information?

> My understanding is that INCOMING packets, for the purposes of
> iptables, originate outside the host interfaces and that OUTGOING
> packets originate from, or are forwarded across, the host itself.
> So, as I understand things, traffic from network C/24 destined to
> B/24 comes IN eth0, is forwarded to eth1, and then goes OUT eth1.
> Similarly, traffic from B/24 to C/24 comes IN eth1 and goes OUT
> eth0.  Is my understanding correct?

If packets are traversing the router, you should add rules in the
FORWARD chain and not INPUT and OUTPUT (those apply only to packets
destined at the router).

You must also enable forwarding by adding this to /etc/sysctl.conf:
net.ipv4.ip_forward = 1

And then running as root: sysctl -p

> I have set up four custom chains, one each for IN and OUT on each of
> the two eth i/f.  Incoming packets for eth0 are sent to the
> WAN-IN-CHAIN, outgoing are sent to the WAN-OUT-CHAIN.  In a similar
> fashion I have LAN-IN-CHAIN and LAN-OUT-CHAIN.

Also, very confusing. How do those relate to INPUT, OUTPUT and
FORWARD? Could you please post the rules you are using, maybe
anonymizing the external IPs for privacy?

> Further, I wish to prevent any incoming connection from the WAN for
> any source address purporting to belong to the B/24 netblock (IP
> spoofing). Again, whatever arrangements that I try, whenever I
> enable such a rule I lose network connectivity from the console
> session to the LAN.

Please post the rules you are trying. If you don't, there is no way we
can tell you what is wrong there...

HTH,
Filipe