Firewall.routing configuration problems

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I am trying to set up a linux box to act as a router for my college. There
are two different types of users; students and conference guests, and they
have IPs statically assigned by DHCP, from separate ranges (but they are on
the same subnet). The students go out onto an academic connection (via
eth0), and conference guests go out on an ADSL line (via eth3). eth1 and
eth2 are configured for internal use.

My question is this (and I'm not 100% sure if it's a firewall or routing
issue, hence the post to both mailing lists). I have some firewall rules in
place which direct packets out to a specific ethernet device, depending on
the IP that the packet is coming from. It will probably help if I define the
IPs, subnets and netmasks etc for the ethernet devices:

eth0      Link encap:Ethernet  HWaddr 00:14:22:09:FB:1A
          inet addr:192.168.100.253  Bcast:192.168.100.255
Mask:255.255.255.0

eth1      Link encap:Ethernet  HWaddr 00:04:23:BB:89:9C
          inet addr:192.168.7.253  Bcast:192.168.7.255  Mask:255.255.248.0

eth3      Link encap:Ethernet  HWaddr 00:14:22:09:FB:1B
          inet addr:192.168.20.253  Bcast:192.168.20.255  Mask:255.255.255.0

Students have an IP in the range 192.168.4.1-192.168.6.253, and conference
guests have an IP in the range 192.168.0.1-192.168.3.253. The firewall rules
for routing packets to the correct ethernet device (conference guests to
eth3 and students to eth0) are as follows:

	iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE -o
eth3
	iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE -o
eth3
	iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE -o
eth3
	iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE -o
eth3
	iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -j MASQUERADE -o
eth0
	iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -j MASQUERADE -o
eth0
	iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -j MASQUERADE -o
eth0
	iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j MASQUERADE -o
eth0

(The 192.168.7.0 subnet is reserved for system devices).

The default gateway for the linux box itself is 192.168.100.254, which is
the same route as the students, and so, the student rules work fine, and
they get internet perfectly well. The problem arises with conference guests;
thy do not seem to get internet access (they cannot access web pages, email,
etc), although if you try to go to a website like www.google.com, the
browser is able to determine the IP address of the website (I'm not 100%
sure if this is correct or not, and am currently not in a position to
check).

I have tried manually adding a route for each of the subnets, e.g.
	route add -net 192.168.0.0 netmask 255.255.255.0 dev eth3

But this does not seem to make any difference, even if I consequently remove
the default gateway too (the only difference that makes is that students
then lose internet access too!)

I have been advised by a friend that it could be a firewall configuration
issue, and that I need some rules to redirect incoming packets from eth3
back out on the correct interface, as at the moment they might be going from
eth3 to the default gateway. I'm not sure if this is the case, and even if
it were, I'm not sure how to construct rules to do this.

I'm sorry this is such a long post. Is anyone able to shed any light on this
situation? Any help would be *greatly* appreciated :)  If any other
information about the setup is needed, I will gladly provide it...

Many thanks,

Paul

---
Paul Lewis (paul.lewis@xxxxxxxxxxxxxxxxx)
JCR Computing Rep
St Anne's College
http://www.stannesjcr.org 




_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux