Can't get linux router/iptables masquerade working

Question

Hope someone more clever than me could help because I am out of ideas... We want to create (in openstack) a router that will...route (haha) trafic from one network to the other. Simple. This is what I have done so far. I have read a lot of post and seems that it should ne be that complex but I can't make it work.

LAN1 (172.150.88.xx) ­--> ROUTER ETH1 (172.150.88.2) || ETH0 (100.50.30.2) --> LAN2 (LOT OF OTHER NETWORKS)

From a host in LAN1 (172.150.88.3), I want to reach a host in a 10.110.87.xx network which is reachable from the 100.50.30.xx network (so from ETH0 on the router). Note that a route to 10.110.87.xx that point to 172.150.88.2 has been created on the 172.150.88.3 host.

This is what I have in term of rules/settings on the router:

root@router ~ $ iptables --list -v --line-numbers -t nat
Chain PREROUTING (policy ACCEPT 10899 packets, 1408K bytes)
num pkts bytes target prot opt in out source destination

Chain INPUT (policy ACCEPT 2773 packets, 530K bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3968 packets, 296K bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 233 packets, 16695 bytes)
num pkts bytes target prot opt in out source destination
1 3750 280K MASQUERADE all -- any eth0 anywhere anywhere

and

root@router ~ $ iptables --list -v --line-numbers
Chain INPUT (policy ACCEPT 200K packets, 24M bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    84758  140M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 41 packets, 3444 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    24271 2038K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
2      132 10992 ACCEPT     all  --  eth1   eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 28417 packets, 3123K bytes)
num   pkts bytes target     prot opt in     out     source               destination
1     132K   88M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

and some system settings:

echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
sysctl net.ipv4.ip_forward=1

Right now, this is the best we have: If I try to do a telnet on a known open port on 10.110.87.yy from 172.150.88.68 I can see this:

root@router ~ $ tcpdump -nn -i eth1 host 10.110.87.152
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:11.399882 IP 172.150.88.68.40540 > 10.110.87.152.636: Flags [S], seq 3607855840, win 29200, options [mss 1460,sackOK,TS val 2274155265 ecr 0,nop,wscale 7], length 0
09:02:11.412705 IP 10.110.87.152.636 > 172.150.88.68.40540: Flags [S.], seq 299308172, ack 3607855841, win 8192, options [mss 1460,nop,wscale 8,sackOK,TS val 48782380 ecr 2274155265], length 0
09:02:12.402613 IP 172.150.88.68.40540 > 10.110.87.152.636: Flags [S], seq 3607855840, win 29200, options [mss 1460,sackOK,TS val 2274156268 ecr 0,nop,wscale 7], length 0

and

root@router ~ $ tcpdump -nn -i eth0 host 10.110.87.152
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
09:02:20.415516 IP 10.110.87.152.636 > 100.50.30.2.40540: Flags [S.], seq 299308172, ack 3607855841, win 65535, options [mss 1460,nop,nop,sackOK], length 0

.. I am not so sure about what tcpdump is telling me here... For what I understand, the trafic goes from ETH1 to the destination and the 10.110.87.152 host reply back. But the host on the 172.150.88.xx never receive the answer...

So if someone could point me what I am doing wrong, it will be very appreciated. Thanks!

Answer 1

Masquerading on my router works with iptables -t nat -A POSTROUTING -j MASQUERADE