On Thu, 12 Sep 2002, Martin A. Brown wrote: Hi Martin, Thanks for responding. > I presume the iptables firewall will SNAT any connection from any of these > internal networks to the world. Correct? I think so, but please see below. > In answer to your question, I assume that your 192.168.101.0/24 network > and your 10.140.x.x networks are connected to the firewall on the same > ethernet medium. If this is so, then you and there is no missing detail, > your first impression was correct: > > You simply need to > > # ip addr add 10.140.227.245/$CIDR_MASK dev eth1 label eth1:0 FYI $CIDR_MASK=27 > > (or use the traditional redhat ifcfg-eth1:0 technique) > > and tell the internal machines that the default gateway is 10.140.227.245. > > What you are doing here is using the same ethernet for two separate IP > networks. Ok, but as I said in the diagram below my connection to the internet is on wan0 via iptables and NAT. Will not 2 default routes confuse things? In addition I only want traffic for 8 the following specific subnets routed down the 10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16, 10.142.0.0/16, 151.193.141.0/24, 162.92.160.0/24. All other traffic should go out to the internet via wan0. Does this make sense? > > If I were in your position I would absolutely add another interface for > security and network segregation purposes, but, strictly speaking, you do > not need to do so. Network security issues are minimal because the 10.140.x.x is another private network not connected to the internet. I tend to agree with you though that it is most likely worth doing just to keep the traffic segerated. IMO it is a cleaner solution and since I already have a 3rd unused nic in the machine I will most likely configure it as you suggest. I am sorry for not describing this better to start with. I wish I was better at this kind of thing. > : Hi all, > : I have a strange setup I am trying to get working. Initally I thought > : I could set it up by just setting up the correct routes. However after > : thinking about it I have convinced myself (maybe incorrectly) that I > : most likely need some sort of advanced NAT/routing setup. > : > : Below is a description of the networks involved: > : > : Local net (192.168.101.0/24) > : | > : | > : Linux machine eth1 (192.168.101.5)---- eth1:0 (10.140.227.245) > : | > : Iptables NAT/firewall > : | > : Linux machine wan0 (This is a sangoma wanpipe with a routable ip address) > : | > : ISP > : > : The 10.140.227.224/27 network is a private network that knows nothing > : about the 192.168.101.0/24 network and is not controlled by us. > : Previously they were run as 2 seperate networks. What we are trying to > : do is to be able to install some custom software on the local net > : machines (the 192.168.101.0 net) and have 5 specific subnets send the > : traffic down the 10.140... net and the rest of the non 192.168.... > : traffic out the wan0 interface. Currently the 192.168... net and the > : 10.140..... net are on the same wire. I could split them and put > : another interface in the linux box if necessary. > : > : Is this possible? If so can someone point me in the right direction on how? > : Does this even make sense? If not please let me know and I will try to > : explain further. FWIW the linux box is a Red Hat 7.3 box with all of the latest > : updates. > : > : Regards, > : > : > > -- .............Tom "Nothing would please me more than being able to tdiehl@rogueind.com hire ten programmers and deluge the hobby market with good software." -- Bill Gates 1976 We are still waiting .... _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
