Route all traffic of a machine through another within a subnet?

Question

I have two computers, both running ubuntu 12.04 64 bit. I need to route traffic of one computer through the other.

computer A: 192.168.1.3 (eth0)

computer B: 192.168.1.7 (eth0), 192.168.1.5 (eth1), 192.168.1.6 (eth2)

I need these three interfaces in computer B to run my final experiments...

BTW computer B is running on a virtual machine on a separate host.

I change the default gw of computer A like this:

sudo sudo ip route del
sudo ip route add default via 192.168.1.6

here is the output of route -n in computer A:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.6     0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0

Also I run this script in computer B:

#!/bin/bash

IF="eth2"
ADDR="192.168.1.3"

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_dynaddr'

sudo iptables -P FORWARD DROP
sudo iptables -F FORWARD
sudo iptables -t nat -F
sudo iptables -A FORWARD -i $IF -o $IF --source $ADDR -j ACCEPT
sudo iptables -A FORWARD -i $IF -o $IF --destination $ADDR -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s $ADDR -j MASQUERADE

After these instructions computer A has no access to the internet!!

Do you have any idea about the problem and solution?

Edit 1

the default topology of the subnet is like this:

                                             |--------------|  
                                             |    Comp C    |
    |----------| eth0   |----------|      en0| |----------| |
    |  CompA   |--------|   switch |---------| |   VM  B  | |
    |----------|        |-----|----|         | |----------| |
                              |              |--------------| 
                              |
                         ( Internet )
                          (        )

update

computer A:

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.2.2     0.0.0.0         UG    0      0        0 eth0.100
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth0
192.168.2.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0.100

virtual machine B:

eth0 is connected via nat.

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         172.16.233.2    0.0.0.0         UG    0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 eth0
172.16.233.0    0.0.0.0         255.255.255.0   U     1      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     1      0        0 eth1
192.168.2.0     0.0.0.0         255.255.255.0   U     1      0        0 eth2

Answer 1

You have three interfaces on computer B, that have addresses from the same subnet (192.168.1.0/24, am I right?).

Look at some of your iptables rules:

1. sudo iptables -A FORWARD -i $IF -o $IF --source $ADDR -j ACCEPT - this rule says that you allow to route from eth2 to eth2 when packet comes from 192.168.1.3 (without the information about netmask). This rule is completelly meaningless.

2. sudo iptables -A FORWARD -i $IF -o $IF --destination $ADDR -m state --state ESTABLISHED,RELATED -j ACCEPT - almost the same as above.

3. You are setting the default rule for the chain iptables -F INPUT ACCEPT and then remove iptables -F INPUT.

So, what I recommend:

1. On computer B all three interfaces should have addresses from different networks. If you need them in the same network it is better to bridge them (create a "multi-interface" that aggregates three all of them with one IP address).

2. Read more about iptables and try to understand it. It's quite simple. For example, when you have 192.168.1.0/24 network that connects computers A and B the easiest way is to make NAT like that (computer B):

iptables -t nat -A POSTROUTING -d 0/0 -s 192.168.1.0/24 -j MASQUERADE
iptables -A FORWARD -s 192.168.1.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.1.0/24 -j ACCEPT

3. Or the easiest way - bridge all interfaces on computer B. Then you don't have to use NAT.

Update after question extending

The network architecture you have is not really made to work as you want to. The computer A should be connected to computer C via separated network than network connecting computer C with gateway (internet). But you have two solutions.

"The elegant way"

It is required that switch will be transparrent for vlan tagged ethernet frames (beacause I suppose you don't have managed switch with possibility to tag ports). If your switch supports 802.1q it should work like that.

1. You have to create vlan interfaces on computers A and C. For example sudo vconfig add eth0 100. This command wil create tagged interface eth0.100. On computer C execute a command sudo vconfig add en1 100. You will have interface en1.100. On virtual machine settings you need to bridge virtual interface ethX with en1.100. Do not assign any IP address to en1.100 (computer C) - it's not needed.

2. Set addresses from the same network on eth0.100 (computer A) and ethX (virtual machine B). Let's say it will be 192.168.2.1/24 (computer A) and 192.168.2.2/24 (virtual machine B).

3. Virtual machine B must have one more interface that will be bridged to en1 on computer C (the untagged interface). Let's say it has address 192.168.1.3/24.

4. Now you need to configure NAT on virtual machine C:

iptables -t nat -A POSTROUTING -d 0/0 -s 192.168.2.0/24 -j MASQUERADE
iptables -A FORWARD -s 192.168.2.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.2.0/24 -j ACCEPT

5. And add default gateway on computer A:

route add default gw 192.168.2.2

It should work.

The dirty way You can try the dirty way. It doesn't require vlans but it makes a little mess on the 3rd layer.

1. Computer A has interface eth0 with address 192.168.2.1/24.

2. Virtual machine B has two interfaces ethX and ethY. Both bridged to en1 (on computer C) in virtual machine settings.

3. Interface ethX has address 192.168.2.2/24. Interface ethY has address 192.168.1.3/24.

4. Apply the same commands that are on points 4 and 5 of elegant way.

It should also work.

The problem of your solution was that you were trying to route traffic from the same network to the same network. You can only route traffic between two logical IP networks (not from the same addressing range). If you need routing then you need to have two different networks - in this case 192.168.1.0/24 (the existing network) and 192.168.2.0/24 (the network connecting computer A and virtual machine B).

Answer 2

The problem is solved when machine B is put into a single real machine instead of a virtual machine. After that eth0.1 with ip address 192.168.2.2 is created in machine A, and eth0.1 with ip address 192.168.2.1 is created in machine B.

Set the default gateway in machine A:

sudo route del default gw 192.168.1.1
sudo route add default gw 192.168.2.1

and run this instruction in machine B:

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'
iptables -t nat -A POSTROUTING -d 0/0 -s 192.168.2.0/24 -j MASQUERADE
iptables -A FORWARD -s 192.168.2.0/24 -d 0/0 -j ACCEPT
iptables -A FORWARD -s 0/0 -d 192.168.2.0/24 -j ACCEPT

now machine A's traffic is routed correctly from machine B. Many thanks for your guides @Krzysztof Sawicki :)