Setup ip forwarding without masquarade

daniel.leteyski · July 13, 2022, 8:40am

Hi everyone,
I’m trying to setup ip forwarding without masquarade. In other words, plain gateway.
I have one RED interface and one Green.
Red interface has public ip /30 mask and the Green interface has the same network segment /26 mask

The problem is to make nethserver to disable masquarade on postrouting and to enable forwarding.
In iptables I have this :
Chain PREROUTING (policy ACCEPT 266K packets, 32M bytes)
Chain INPUT (policy ACCEPT 78 packets, 4964 bytes)
Chain OUTPUT (policy ACCEPT 156 packets, 11809 bytes)
Chain POSTROUTING (policy ACCEPT 38 packets, 1747 bytes)
pkts bytes target prot opt in out source destination
186K 26M MASQUERADE all – * ens19 0.0.0.0/0 0.0.0.0/0

And this for FORWARD chain:
-P FORWARD DROP

I tried to make 2nd interface ORANGE, but it did not work. Still masquerading

If I set the 2nd interface RED and manually set iptables -P FORWARD ACCEPT, it works as I wan to.
Though, when I make any change in the firewall via the UI, it pushes it back to -P FORWARD DROP.

Is there a way to achieve ip forwarding without masquerading via the UI ?

NethServer Version: 7.9.2009 (final)
Module: Firewall

daniel.leteyski · July 21, 2022, 7:31am

I found a limited and partially working workaround.
I set the two interfaces as RED so nethserver does not masquerade traffic. Then I edited the script “firewall-adjust” to add “iptables -P FORWARD ACCEPT”
Everything works as I want to.
Drawbacks. If I make a change to the firewall via the UI, shorewall stops working.
It fails with an error regarding “command ip -4 route replace src xx.xx.xx.129 dev ens18 failed”

If I revert ens18 to be GREEN, shorewall loads correctly. Looks like I cannot have just two RED interfaces
Edit : actually, if I set ANY interface to be Green and the other Red, it works.
It only happens when I have two Red interfaces and no other interface.

Little more information :
ens18 : xx.xx.xx.126 /30
ens19 : xx.xx.xx.129 /26
The idea is to use the server as GW only. I have a range of public IPs from my ISP and I have just one to communicate with them.
126 IP connects to 125 IP (ISP side) and I just need to route the traffic to ens18 (129 IP)
So the whole IP range will be routed to ens18 (129 IP)

daniel.leteyski · July 22, 2022, 5:34am

I did it.
I set the ISP interface to RED and the second one to Green.
Then, I edited /etc/e-smith/templates/etc/shorewall/snat/30red
Edited the line OUT .= “ISP ip xxxxxx”; to OUT .= “”;
This stops the masquerading and volia it works as simple GW.

filippo_carletti · July 22, 2022, 8:34am

Great job!
Name it /etc/e-smith/templates-custom/etc/shorewall/snat/30red and you’re done.

daniel.leteyski · July 22, 2022, 8:49am

Great idea!
In that way, I presume when an update is applied, it won’t change the script.
Thanks filippo. I will definitely do that!