Scenario: you want to connect a LAN to another one. Connection should be easily enabled and disabled.
At work we have a training and examination classroom with its own IP addressing schema. This LAN should be disconnected from the rest of the infrastructure when exams are in place (people should not be allowed to access Internet to find answer to questions) but we need to be allowed to do client’s operating system update when needed.
To do so, we have a classroom server that act as a NAT, DHCP and DNS server for the computers in the classroom. As availability is critical, we have grouped the two NICs on it to give a bonding interface. We have defined a bond0 interface, with an address of the external LAN, and a bond0:0 alias, with an address of the classroom LAN.
Then we have these rules for iptables:
iptables -t nat -A POSTROUTING -o bond -j SNAT --to-source EXTERNAL_IP
EXTERNAL_IP is the IP by which every client of the classroom should appear out of it.
iptables -t nat -A POSTROUTING -o bond -j MASQUERADE
To allow for IP Forwarding, we need to do this:
echo 1 > /proc/sys/net/ipv4/ip_forward
(this could be make persistent across reboot by adding net.ipv4.ip_forward = 1 in /etc/sysctl.conf). Connection will be disabled with
service iptables stop
and enabled with
service iptables start
Note that iptables rules don’t deal with interface aliasing, they need just the bare interface, and that here we are doing bonding and aliasing, and it appears working
Of course, this configuration is no way complex, but it has the property that I always forget about it, so I write this on the blog to allow to find it easily when needed.