Hello, see comments belo > > ############################################################################## > > # Define routing rules > > ############################################################################## > > > > #rules for packets coming in eth0 (LAN) > > ip rule add iif eth0 to 204.x.x.0/24 lookup to-lan priority 100 > > ip rule add iif eth0 to 172.x.x.1/32 lookup main priority 110 > > 172.x.x.1/32 -- I'd say just offhand that needs to be 172.x.x.1/24. Why > 32? The point of the .../32 is to specify a single unique ip address. /24 would specify the whole subnet of 254 addresses, and I don't want that. I could just as easily have said "ip rule add iif eth0 to 172.x.x.1 lookup main priority 110". The ip command will take it either way. If you want proof look below at the second listing with "ip rule ls", or try it yourself. You will see that rule 110 is listed as a unique ip address. > > > > > #catch all rule > > ip rule add from 0.0.0.0/0 type blackhole lookup bit-bucket priority 500 > > > > ############################################################################## > > # Create routing tables referenced by rules above > > # Note: the table names used below must exist in the > > # /etc/iproute2/rt_tables file > > ############################################################################## > > > > #to-lan table routes > > ip route add default dev eth0 table to-lan > > > > #bit-bucket table routes > > ip route add blackhole default table bit-bucket > > > > # Make rules/routes active > > ip route flush cache > > > > # Enable IP forwarding since it is disabled by default > > echo "1" > /proc/sys/net/ipv4/ip_forward > > > > # Enable automatic IP defragmenting since it is disabled by default > > echo "1" > /proc/sys/net/ipv4/ip_always_defrag > > #---------end script > > > > When I'm all done, an ip rule ls shows the following > > > > 0: from all lookup local > > 100: from all to 204.x.x.0/24 iif eth0 lookup to-lan > > 110: from all to 172.x.x.1 iif eth0 lookup main > > 500: from all lookup bit-bucket blackhole > > 32766: from all lookup main > > 32767: from all lookup default > > > > So far so good. I can now hop over to orion and begin to test. I set > > the default gw on orion to point to 172.x.x.1 and try to ping > > 204.x.x.2 (our dns server) which answers back fine. So rule 100 > > is working and redirecting things to the cisco router on our 172 > > network which has that particular 204 network attached to it. > > > > But when I ping 172.x.x.1, cygnus' address I get nothing. Hopping > > over to cygnus' terminal and running tcpdump shows me that the packets > > are indeed arriving but they aren't making it. As it ends up, they are > > getting blackholed by rule 500 above. I know this because If I delete > > rule 500 from the command line the ping starts getting responded to, > > furthermore if I delete rule 32766 after that, it quits again. > > I'd say this more or less confirms it. > > What does ip route ls show? All ip route ls shows is my default routing table (main) the same thing you would see if you ran say the "route -n" command after executing "/etc/rc.d/init.d/network start" there are also two other tables: to-lan, and bit-bucket which each have a single default route in them as you can see from the script above. -Andrew
