# routing w/o firewall/iptables? [Solved!]

## erik258

hi all!  you'll have to forgive me for this dumb question.  i just have never actually set up a big network.

can I devide up my network into 3 subnets ? 

```
         

                       /->192.168.1.0/24 <-->192.168.1.87<-->192.168.10.0/24

web <-> 192.168.1.1 <-<

                       \-> 192.168.2.0/24 (wireless)

```

right now 192.168.1.1 is running iptables and is my internet router/firewall.  (WHICH HAS 3 network cards of course, 1 wifi 2 wired)

192.168.1.0/24 is a flat ethernet

192.168.2.0/24 is a wireless net provided by a wireless nic in AP mode in 192.168.1.1

192.168.10.0/24 is a flat ethernet on the other side of 192.168.1.87 (WHICH HAS 2 network cards of course)

i am confused about whether I can route packets between my subnets without iptables.

i don't really need to filter these packets, but as you can see my 2 routers do need to forward them.  right now all internet access with NAT from all 3 are working, but the three are effectively isolated from each other.  

isn't there some way so that i can send packets between subnets without iptables, just by routing them properly?  I remember a nice illustration from The Linux Network Administrator's Guide but I can't remember if any of those routers spanned subnets.

or do all my different subnets have to all be changed to be different IP ranges on the same subnet?

please give me some assistance, i'm not too dumb and not a newbie but this question is so stupid (?) i can't find any info online.  

links, etc are certainly welcome!  

thanks.

----------

## NeddySeagoon

erik258,

You can set up static routes on all the systems.

My net file has 

```
config_eth_lan=(

       "192.168.100.18/24 broadcast 192.168.100.255"

)

routes_eth_lan=(

       "default via 192.168.100.1"

       "-net 192.168.0.0/24 via 192.168.100.6"

)

```

You can see it has a static IP address in 192.168.100.0/24 and a defualt gateway at the usual .1

The -net line says that to reach the 192.168.0.0/24 net, send the packets to 192.168.100.6.

192.168.100.6 has two network cards and packet forwarding enabled in its kernel, which I think is the defult now.

----------

## erik258

thanks for the tip. 

i tried configuring my routing tables as such but probably missed something or messed up.

 do you know whether i could do this and iptables on the same computer?  can firewalls and subnet routing coexist, as long as the firewall doesn't drop the routed packets?  or must they be on different computers?

----------

## think4urs11

shot in the dark: did you forget to 

```
echo 1 > /proc/sys/net/ipv4/ip_forward
```

 on any of the machines which should do routing?

----------

## NeddySeagoon

erik258,

You can run static routing and firewalling on the same network and try to route through the firewall.

That way lies madness.

If you need firewalling and forwarding on the same system choose only one or you will never know what works and why

----------

## erik258

 *NeddySeagoon wrote:*   

> erik258,
> 
> You can run static routing and firewalling on the same network and try to route through the firewall.
> 
> That way lies madness.
> ...

 

I did have IP forwarding enabled in /proc/sys/net/ipv4, thanks.  I believe my problem hinges on the  you will never know what works and why issue.  Is there some way to disable iptables which i compiled in to this particular kernel?  

thanks guys, i appreciate this help ; ) now as soon as my real life stops making me do stuff, i can actually try to get this to work ;)

----------

## NeddySeagoon

erik258,

You can set the policy to accept for the input, output and forward tables, that tells iptables to allow anything everywhere, making it transparent.

Its as good as turning it off

----------

## erik258

I have a nat table too, this won't effect anything by default (that is , when it's totally empty and also set to accept) right?  or should i set it all to deny?  

thanks again mr seagoon... you sure are helpful!

----------

## NeddySeagoon

erik258,

Your NAT table will be called from one of the others, if its never called, it won't do anything.

iptables has the input, forward and output tables as its own. Any other tables you create are like functions or subroutines in a program, or unused Sections in xorg.conf. They do nothing until called on.

----------

## erik258

Dear Mr Seagoon or any other Interested Parties, 

Your messages are well appreciated and this all makes sense to me.  What doesn't make sense: I can watch traffic going through my NAT table but i don't have any hooks into it.  For clarity, zeus is the router between .10.0/24 and .1.0/24 and vaio is a (the only) host on .10.0/24 (besides the router itself of course).  Obeserve this (from the router between .10.0/24 and .1.0/24 : 

```
zeus ~ # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination [/quote]

You'll note the lack of any rules.  But nat:

[quote]zeus ~ # iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 253 packets, 30719 bytes)

 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3692 packets, 174K bytes)

 pkts bytes target     prot opt in     out     source               destination         

  195 14707 MASQUERADE  all  --  any    eth0    192.168.10.0/24      anywhere            

Chain OUTPUT (policy ACCEPT 3674 packets, 173K bytes)

 pkts bytes target     prot opt in     out     source               destination         

```

I would think this packet count to be a residual effect of a previous setup, but using watch I can see the packets go through.  How are they getting to the nat table?  

```

zeus ~ # route

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

192.168.10.0    *               255.255.255.0   U     0      0        0 eth1

loopback        *               255.0.0.0       U     0      0        0 lo

default         davey.spore.ath 0.0.0.0         UG    0      0        0 eth0

zeus ~ # cat /proc/sys/net/ipv4/ip_forward 

1

zeus ~ # cat /proc/sys/net/ipv4/ip_dynaddr 

1
```

If i flush the nat table, I can no longer communicate with the network and outside world from vaio.  Viao's routing table is as follows...

```
Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.10.0    *               255.255.255.0   U     0      0        0 eth0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         192.168.10.1    0.0.0.0         UG    0      0        0 eth0

```

With totally flushed tables on zeus, vaio can communicate with zeus' ip but can't get outside the .10.0/24 subnet.

Argh!!!  Any thoughts?

----------

## erik258

I noticed that I can get to the 192.168.1.0/24 IP of the router, 192.168.1.87, from the 192.168.10.0/24 subnet.  Unfortunately, i seem to have missed some crucial step in getting from there to the outside world ; )

edit: 

i also noticed, these packets also pass through when I flush all the tables.  So I guess the step I missed isn't that.

...perhaps another computer...

----------

## erik258

Ah ha!  That was the problem.  

Sorry, Mr. Seagoon.  I have confused myself again ; ) .  Turns out my other computer was to blame all along.  i added a route to it

davey ~ # route add -net 192.168.10.0 netmask 255.255.255.0 gw 192.168.1.87 dev eth1

and all worked.

----------

