static routes and iptables

Question

I have this situation:

LAN1 (10.0.0.x)
Subnet 255.255.255.0
Gateway 10.0.0.1
Gateway "WAN" 192.168.1.210

LAN2 (10.0.1.x)
Subnet 255.255.255.0
Gateway 10.0.1.1
Gateway "WAN" 192.168.1.211

By "Gateway WAN" I mean the interface facing on the subnet 192.168.1.x (which is the network of the modem/router I received from the ISP and the one that lets the computers to go on the internet).

To give context to what I will say in the next lines I will be calling the gateway on LAN1 RV110W because it is the cisco model and the gateway on LAN2 LinuxBox

I have made all my test with the firewall of the RV110W disabled so I can focus on a getting the LinuxBox iptables right.

Right now my configurations on the LinuxBox look like this:

/etc/newtwork/interfaces

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 192.168.1.211
    netmask 255.255.255.0
    broadcast 192.168.1.255
    gateway 192.168.1.1
    hostname alpine-router

auto eth1
iface eth1 inet manual

auto eth2
iface eth2 inet manual

auto eth3
iface eth3 inet manual

auto br0
iface br0 inet static
    bridge_ports eth1 eth2 eth3
    address 10.0.1.1
    netmask 255.255.255.0
    broadcast 10.0.1.255
    up ip route add 10.0.0.0/24 via 192.168.1.210

iptables

#########################################################################
# Basic iptables IPv4 routing rule set
#
# 10.0.1.0/24 routed directly to ETH0 via NAT
# 
#########################################################################

#
#Mangle Table
#We leave this empty for the moment.
#
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

#
#Filter Table
#This is where we decide to ACCEPT, DROP or REJECT things
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

#Create rule chain per input interface for forwarding packets
:FWD_ETH0 - [0:0]
:FWD_BR0 - [0:0]

#Create rule chain per input interface for input packets (for host itself)
:IN_ETH0 - [0:0]
:IN_BR0 - [0:0]

#Create a log drop chain
:LOG_DROP - [0:0]

#Pass input packet to corresponding rule chain
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j IN_ETH0
-A INPUT -i br0 -j IN_BR0

#Pass forwarded packet to corresponding rule chain
-A FORWARD -i eth0 -j FWD_ETH0
-A FORWARD -i br0 -j FWD_BR0

#Forward LAN traffic out
-A FWD_BR0 -s 10.0.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

#Forward traffic to ISP
-A FWD_ETH0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

#SSH to router
-A IN_BR0 -s 10.0.1.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

#DNS to router
-A IN_BR0 -s 10.0.1.0/24 -p tcp -m tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

#NTP to router
-A IN_BR0 -s 10.0.1.0/24 -p udp -m udp --dport 123 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

#WEBMIN to router
-A IN_BR0 -s 10.0.1.0/24 -p tcp -m tcp --dport 21000 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

#Accept traffic
-A IN_BR0 -s 10.0.1.0/24 -p udp -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

#Accept incoming tracked ETH0 connection
-A IN_ETH0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT

#
#NAT Table
#This is where translation of packets happens and "forwarding" of ports
# to specific hosts.
#
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]

#Allow hosts of the network to use the ETH0 "WAN"
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT

Static routes

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         internetbox.hom 0.0.0.0         UG    0      0        0 eth0
10.0.0.0        bedroom-router. 255.255.255.0   UG    0      0        0 eth0
10.0.1.0        *               255.255.255.0   U     0      0        0 br0
192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

internetbox.hom is referring to the ISP router and bedroom-router. is referring to the RV110W.

To clarify the iptables are reported here without any try I have made just to give you the starting point.

Of course the RV110W has also a static route where all the traffic with destination 10.0.1.0 goes to 192.168.1.211 (LinuxBox).

Now before I start telling what I have tried so far I want to clarify what I have in mind and what are my goals. I basically need to access all the LAN2 from the LAN1
What should I access? Everything (LAN2 is supposed to be a laboratory where I can make any sort of IT stuff) and by everything I mean any tcp/udp port on any device.

So far the most interesting and useful things I found are this:

from serverfault (allow-traffic-to-from-specific-ip-with-iptables)

I came up with some rules I need to put in the IP tables but those aren't new to me as I already tried to implement them

-I INPUT -p tcp -s 10.0.0.0 -d 10.0.1.0 -m tcp -j ACCEPT
-I INPUT -p udp -s 10.0.0.0 -d 10.0.1.0 -m udp -j ACCEPT

and also the correspondent OUT rules even though out traffic is allowed by default. I also tried to remove the destination part on the INPUT ones and the source part on the OUTPUT ones but still no luck.

I also thought the possibility that the source is the "WAN" IP from the RV110W but so far I found only people using the remote LAN network as source.

I'm thinking there's something I should do on the NAT section because it may need to process the incoming requests but didn't find anything about.

I've tried many times to search on the internet, to look on the iptables manual and any other means in my possession but I can't find any answer and restricting the search field would be great.

I may miss a banality here and it may be caused by the lack of technical English words I have at my disposition, and that's also a reason why I am trying to ask here.

I'm also aware that the ping with my iptables could not work so I also tried to open up an RDP session and an SSH one, of course without luck. the problem is that despite the ping on LAN2 is blocked also pinging the LAN1 from LAN2 is timing out and this also advised me on the fact that the ping could arrive at destination but not returning back.

I tried to be as exaustive as I can get to let you understand my situation but if I missed something I apologize in advance.

In the end I am really out of ideas and any help, small or big, it is much appreciated.

PS: I also thought to implement a Site-to-Site IPSec VPN, natively supported by the RV110W and with strongswan on the LinuxBox, but at the end the problem is still arround with routing and potentially with iptables

Answer 1

I am assuming that LinuxBox and Cisco are connected to the same L2 network here.

You need to have symmetric routes on your Cisco and LinuxBox:

On LinuxBox, have the route to 10.0.0.0/24 via 192.168.1.210 (Cisco WAN IF).

On Cisco, have the route to 10.0.1.0/24 via 192.168.1.211 (LinuxBox WAN IF).

Then you also need to make sure that firewall configuration passes traffic from 10.0.0.0/24 to 10.0.1.0/24 and vice versa on the the routers.