Re: 2 NICs Bridge + Router

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 06/04/07 11:28, William Bohannan wrote:

Works well except I cannot for the life of me get NAT working.  I have
the following setup:


Good.


### Network Interface script
# /etc/init.d/network/interfaces
auto lo
iface lo inet loopback

auto br0
iface br0 inet static
address 193.xxx.xxx.77
netmask 255.255.255.128
network 193.xxx.xxx.0
broadcast 193.xxx.xxx.127
gateway 193.xxx.xxx.126

pre-up /sbin/ip link set eth0 up
pre-up /sbin/ip link set eth1 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth0
pre-up /usr/sbin/brctl addif br0 eth1
What would happen if you added additional address, netmask, network, broadcast, and gateway lines? Would that allow you to have aliases defined in this manner, or would it simply over ride the existing settings? 


### Simple script to start at boot
# /etc/init.d/brouter.init
echo "Bringing up NAT"
ip addr add 10.10.1.254/24 dev br0
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
route add -net -n 0.0.0.0 dev br0
#enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Hum, this looks like you will be MASQUERADEing any and all traffic that leaves br0. I'm betting that you are MASQUERADEing some traffic that you do not want to MASQUERADE. 


Please advise.
You need to selectively MASQUERADE traffic that is leaving your br0 interface. I.e. MASQUERADE any traffic that is leaving your network headed to the world. 

You can accomplish this a couple of different ways (possibly more).
1) MASQUERADE any traffic that is not destined to your internal network. In other words MASQUERADE any traffic that is leaving your network. I.e. 

iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE

(If I have that IPTables syntax correct.  You get the idea.)
2) MASQUERADE any traffic that is leaving the physical interface that is facing the internet via the physdev IPTables match extension. (Sorry, I have no experience with this option.)
Personally, I would try to do it based on destination IP address rather than physical interface for various reasons that are not really pertinent here. 



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux