Hi Tom - I just set up a similar situation - for traffic coming from one or more subnets, route thru one path. For everyone else, route through a different path. You need to choose a different default route, based on the where packets come from, right? You will want to grab a copy of Alexy K's writeup on the new ip command set. In the Red Hat distro, there's a postscript file in one of the subdirectories someplace. I don't remember the exact path, but do a find for all *.ps files and you'll see it. Print that .ps file on a postscript printer and you'll see tons of details on syntax. Also take a close look at the advanced routing howto. Here's how it works: There are a bunch of routing tables, including the main and default tables. Unless a packet is somehow flagged, it will route according to what these tables say. So your question - wouldn't things get really confusing if you have more than one default route? - is absolutely valid. But - this is the cool part - you also have more than one table, (I think up to 255 of them), and each table can have its own default route and other routing info. So now the challenge is - how do you decide which table to use? That's where fwmark comes in. You can set up iptables rules to match pretty much anything relevant in a packet and apply a fwmark to it. This is just some number that you make up. Later on, you put in a rule (the ip rule command) that tells the kernel which table to use for each packet, based on the contents of the fwmark. So if the fwmark is, say, 13, then you would route according to the rules of, say, table number 13. Otherwise, just use the default tables. (You can also edit a file to give a name to table number 13 if you want.) And you can set up much more complex scenarios using source address, TCP/UDP port, IP protocol number, you name it. It's always 3 steps - first an iptables rule in the mangle table that associates some number with packets you care about, then an "ip rule" command that associates packets with the fwmark numbers you assigned earlier to the routing table you want. And, of course, make sure each routing table is populated with the correct routes. (ip route add . . .) Note that there is nothing special about the number 13, and the table number doesn't have anything to do with value of the fwmark. I picked 13 and used that number in both places only because today is Friday, Sept. 13. - Greg Scott -----Original Message----- From: Tom Diehl [mailto:tdiehl@rogueind.com] Sent: Friday, September 13, 2002 11:58 AM To: Martin A. Brown Cc: lartc@mailman.ds9a.nl Subject: Re: Routing/NAT question On Thu, 12 Sep 2002, Martin A. Brown wrote: Hi Martin, Thanks for responding. > I presume the iptables firewall will SNAT any connection from any of these > internal networks to the world. Correct? I think so, but please see below. > In answer to your question, I assume that your 192.168.101.0/24 network > and your 10.140.x.x networks are connected to the firewall on the same > ethernet medium. If this is so, then you and there is no missing detail, > your first impression was correct: > > You simply need to > > # ip addr add 10.140.227.245/$CIDR_MASK dev eth1 label eth1:0 FYI $CIDR_MASK=27 > > (or use the traditional redhat ifcfg-eth1:0 technique) > > and tell the internal machines that the default gateway is 10.140.227.245. > > What you are doing here is using the same ethernet for two separate IP > networks. Ok, but as I said in the diagram below my connection to the internet is on wan0 via iptables and NAT. Will not 2 default routes confuse things? In addition I only want traffic for 8 the following specific subnets routed down the 10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16, 10.142.0.0/16, 151.193.141.0/24, 162.92.160.0/24. All other traffic should go out to the internet via wan0. Does this make sense? > > If I were in your position I would absolutely add another interface for > security and network segregation purposes, but, strictly speaking, you do > not need to do so. Network security issues are minimal because the 10.140.x.x is another private network not connected to the internet. I tend to agree with you though that it is most likely worth doing just to keep the traffic segerated. IMO it is a cleaner solution and since I already have a 3rd unused nic in the machine I will most likely configure it as you suggest. I am sorry for not describing this better to start with. I wish I was better at this kind of thing. > : Hi all, > : I have a strange setup I am trying to get working. Initally I thought > : I could set it up by just setting up the correct routes. However after > : thinking about it I have convinced myself (maybe incorrectly) that I > : most likely need some sort of advanced NAT/routing setup. > : > : Below is a description of the networks involved: > : > : Local net (192.168.101.0/24) > : | > : | > : Linux machine eth1 (192.168.101.5)---- eth1:0 (10.140.227.245) > : | > : Iptables NAT/firewall > : | > : Linux machine wan0 (This is a sangoma wanpipe with a routable ip address) > : | > : ISP > : > : The 10.140.227.224/27 network is a private network that knows nothing > : about the 192.168.101.0/24 network and is not controlled by us. > : Previously they were run as 2 seperate networks. What we are trying to > : do is to be able to install some custom software on the local net > : machines (the 192.168.101.0 net) and have 5 specific subnets send the > : traffic down the 10.140... net and the rest of the non 192.168.... > : traffic out the wan0 interface. Currently the 192.168... net and the > : 10.140..... net are on the same wire. I could split them and put > : another interface in the linux box if necessary. > : > : Is this possible? If so can someone point me in the right direction on how? > : Does this even make sense? If not please let me know and I will try to > : explain further. FWIW the linux box is a Red Hat 7.3 box with all of the latest > : updates. > : > : Regards, > : > : > > -- .............Tom "Nothing would please me more than being able to tdiehl@rogueind.com hire ten programmers and deluge the hobby market with good software." -- Bill Gates 1976 We are still waiting .... _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
