Bits and Chaos

Icon

Between bits and chaos, a sysadmin stands.

Bonding, aliasing and natting

Scenario: you want to connect a LAN to another one. Connection should be easily enabled and disabled.

At work we have a training and examination classroom with its own IP addressing schema. This LAN should be disconnected from the rest of the infrastructure when exams are in place (people should not be allowed to access Internet to find answer to questions) but we need to be allowed to do client’s operating system update when needed.

To do so, we have a classroom server that act as a NAT, DHCP and DNS server for the computers in the classroom. As availability is critical, we have grouped the two NICs on it to give a bonding interface. We have defined a bond0 interface, with an address of the external LAN, and a bond0:0 alias, with an address of the classroom LAN.

Then we have these rules for iptables:

iptables -t nat -A POSTROUTING -o bond -j SNAT --to-source EXTERNAL_IP

EXTERNAL_IP is the IP by which every client of the classroom should appear out of it.

iptables -t nat -A POSTROUTING -o bond -j MASQUERADE

To allow for IP Forwarding, we need to do this:

echo 1 > /proc/sys/net/ipv4/ip_forward

(this could be make persistent across reboot by adding net.ipv4.ip_forward = 1 in /etc/sysctl.conf). Connection will be disabled with

service iptables stop

and enabled with

service iptables start

Note that iptables rules don’t deal with interface aliasing, they need just the bare interface, and that here we are doing bonding and aliasing, and it appears working 🙂

Of course, this configuration is no way complex, but it has the property that I always forget about it, so I write this on the blog to allow to find it easily when needed.

Advertisements

Filed under: rhel, , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: