From e3a09d2b4a96d345cac6d3e7fbc028a64715aeb9 Mon Sep 17 00:00:00 2001 From: Preetham Ananthkumar Date: Mon, 17 Jul 2023 21:48:05 +0100 Subject: [PATCH 1/5] Added NAT rules so that client devices on private IPs can communicate with the Internet --- Central-router.startup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Central-router.startup b/Central-router.startup index 094ee5f..8167d4d 100755 --- a/Central-router.startup +++ b/Central-router.startup @@ -28,3 +28,9 @@ ip link set up dev eth5 # Gateway IP for Management-switch ip addr add 10.0.6.1/24 dev eth6 ip link set up dev eth6 + +# Enable IP forwarding +sysctl -w net.ipv4.ip_forward=1 + +# Enable NAT forwarding +iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE From f94910b33ea0fcdf653b3dcf99456171f2c98320 Mon Sep 17 00:00:00 2001 From: Preetham Ananthkumar Date: Mon, 17 Jul 2023 22:14:01 +0100 Subject: [PATCH 2/5] Rejected NAT for the Management subnet --- Central-router.startup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Central-router.startup b/Central-router.startup index 8167d4d..9731437 100755 --- a/Central-router.startup +++ b/Central-router.startup @@ -32,5 +32,10 @@ ip link set up dev eth6 # Enable IP forwarding sysctl -w net.ipv4.ip_forward=1 +# NAT rules + +# Reject NAT for Management subnet +iptables -t nat -A POSTROUTING -s 10.0.6.0/24 -o eth0 -j ACCEPT + # Enable NAT forwarding iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE From 2fc2a6a2c6397490d0c13c2bd2dfe22cbb99c62f Mon Sep 17 00:00:00 2001 From: Preetham Ananthkumar Date: Wed, 19 Jul 2023 10:09:08 +0100 Subject: [PATCH 3/5] Added DNAT rules for incoming packets --- Central-router.startup | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/Central-router.startup b/Central-router.startup index 9731437..45ca497 100755 --- a/Central-router.startup +++ b/Central-router.startup @@ -32,10 +32,30 @@ ip link set up dev eth6 # Enable IP forwarding sysctl -w net.ipv4.ip_forward=1 -# NAT rules +# NAT # Reject NAT for Management subnet iptables -t nat -A POSTROUTING -s 10.0.6.0/24 -o eth0 -j ACCEPT -# Enable NAT forwarding +# Reject NAT for LDAP +iptables -t nat -A POSTROUTING -s 10.0.5.3/24 -o eth0 -j ACCEPT + +# Source NAT rules iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE + +# Destination NAT rules + +# Ext-Office +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.2.3:80 + +# Ext-DNS +iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 10.0.2.4:53 + +# Ext-WWW +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.2.5:80 + +# Int-WWW +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.3:80 + +# Int-DNS +iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 10.0.4.4:53 From 07a5e77c7145a4937ba6f0d7880dda399ab8322b Mon Sep 17 00:00:00 2001 From: Preetham Ananthkumar Date: Wed, 19 Jul 2023 11:25:13 +0100 Subject: [PATCH 4/5] Rejected NAT for the Services subnet --- Central-router.startup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Central-router.startup b/Central-router.startup index 45ca497..d16b4db 100755 --- a/Central-router.startup +++ b/Central-router.startup @@ -37,8 +37,8 @@ sysctl -w net.ipv4.ip_forward=1 # Reject NAT for Management subnet iptables -t nat -A POSTROUTING -s 10.0.6.0/24 -o eth0 -j ACCEPT -# Reject NAT for LDAP -iptables -t nat -A POSTROUTING -s 10.0.5.3/24 -o eth0 -j ACCEPT +# Reject NAT for Services subnet +iptables -t nat -A POSTROUTING -s 10.0.5.0/24 -0 eth0 -j ACCEPT # Source NAT rules iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE From a9506ef62869940663f7068e45517523047d51a6 Mon Sep 17 00:00:00 2001 From: Preetham Ananthkumar Date: Wed, 19 Jul 2023 11:36:18 +0100 Subject: [PATCH 5/5] Added DNAT rules for OpenVPN --- Central-router.startup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Central-router.startup b/Central-router.startup index d16b4db..8a1d68f 100755 --- a/Central-router.startup +++ b/Central-router.startup @@ -59,3 +59,6 @@ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination # Int-DNS iptables -t nat -A PREROUTING -i eth0 -p udp --dport 53 -j DNAT --to-destination 10.0.4.4:53 + +# OpenVPN +iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1194 -j DNAT --to-destination 10.0.5.4:1194