How forward packets from network interface to another

My problem is forward packets from eth2 that is my LAN to eth1 that has access to internet, to allow eth2 to access to internet, here my configuration:

auto eth1
iface eth1 inet static address 192.168.3.1 netmask 255.255.255.0 network 192.168.3.0 broadcast 192.168.3.255 gateway 192.168.3.254
auto eth2
iface eth2 inet static address 10.101.26.1 netmask 255.255.0.0 network 10.101.0.0 broadcast 10.101.255.255

iptables configuration:

iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT

Already uncomment net.ipv4.ip forward=1 in /etc/sysctl.conf and write 1 in /proc/sys/net/ipv4/ip_forward.

If i test with a PC connected on LAN that have as gateway 10.101.26.1 I can't reach internet, so how I can solve this?

Thank you for any help! Regards

2 Answers

You'll need some sort of masquerading statement. The reason behind this is that, currently, packets arriving from eth2 to eth1 are identified by 10.101.0.0/16 addresses. Those 10.101.0.0/16 packets then attempt to traverse the network via eth1 (192.168.3.0/24). This fails because those packets haven't yet been masqueraded as packets from 192.168.3.1.

A little script like this below should help. Modify as necessary:

#! /bin/bash
IPTABLES=/sbin/iptables
WANIF='eth1'
LANIF='eth2'
# enable ip forwarding in the kernel
echo 'Enabling Kernel IP forwarding...'
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
echo 'Flushing rules and deleting existing chains...'
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
echo 'Enabling IP Masquerading and other rules...'
$IPTABLES -t nat -A POSTROUTING -o $LANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $WANIF -j MASQUERADE
$IPTABLES -A FORWARD -i $WANIF -o $LANIF -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $LANIF -o $WANIF -j ACCEPT
echo 'Done.'

Based on your description, I am assuming your PC is behind a router and eth1 is connected to the Internet via the router. You would have to create a static route on your router to 10.101.0.0/16 via 192.168.3.1 so that reply packets destined to said network can be forwarded to your PC.