That's because you're referring to the wrong interface. Ipchains wants to know the interface though which the traffic will be leaving. That is the traffic it must masquerade. In this case: (assuming interface eth1 has IP 200.40.10.35) /sbin/ipchains -A forward -i eth1 -s 192.168.0.0/16 -j MASQ Which says: all traffic coming from (192.168.0.0 to 192.168.255.255) that according to the routing tables will be leaving the box at interface eth1, will be masqued. The sentence below: "Users should also understand that IP Masquerading will only work out a physical interface such as eth0, eth1, etc." says *out* a physical interface, your traffic is coming in at an aliased interface, so there's no problem there. Serge. -----Original Message----- From: Charrua [mailto:charrua@kernel.net.uy] Sent: vrijdag 15 juni 2001 22:03 To: 'Tuan Hoang' Cc: 'linux-net@vger.kernel.org' Subject: RE: Question about masquerade more than one internal network Ok thanks, but I think that this is not posible, read the next lines from "the linux masquerade howto": 7.26 ( IP Aliasing ) - Can IP Masquerade work with only ONE Ethernet network card? Yes and no. With the "IP Alias" kernel feature, users can setup multiple aliased interfaces such as eth0:1, eth0:2, etc but its is NOT recommended to use aliased interfaces for IP Masquerading. Why? Providing a secure firewall becomes very difficult with a single NIC card. In addition to this, you will experience an abnormal amount of errors on this link since incoming packets will almost simultaneously be sent out at the same time. Because of all this and NIC cards now cost less than $10, I highly recommend to just get a NIC card for each MASQed network segment. Users should also understand that IP Masquerading will only work out a physical interface such as eth0, eth1, etc. MASQing out an aliased interface such as "eth0:1, eth1:1, etc" will NOT work. In other words, the following WILL NOT WORK: * /sbin/ipfwadm -F -a m -W eth0:1 -S 192.168.0.0/24 -D 0.0.0.0/0 * /sbin/ipchains -A forward -i eth0:1 -s 192.168.0.0/24 -j MASQ" What do you think about this? Thanks, Andrés > -----Mensaje original----- > De: Tuan Hoang [SMTP:tuan@optimus.mitre.org] > Enviado el: Viernes 15 de Junio de 2001 03:28 PM > Para: Charrua > CC: 'linux-net@vger.kernel.org' > Asunto: Re: Question about masquerade more than one internal network > > > Use IP aliasing should work. > Only gotcha is all networks must run into the same hub. > Also you'll need to add the appropriate ipchains rules yourself. > > Just run the following on your box (provided your netmask is /24): > ifconfig eth0:0 192.168.2.x netmask 255.255.255.0 broadcast > 192.168.2.255 > ifconfig eth0:1 192.168.3.x netmask 255.255.255.0 broadcast > 192.168.3.255 > ifconfig eth0:2 192.168.4.x netmask 255.255.255.0 broadcast > 192.168.4.255 > > Tuan > > > On Fri, 15 Jun 2001, Charrua wrote: > > > > Hi, I'm presently using one PC with Linux to masquerade an Internet > > > connection. My current situation is: > > > > > > Real Ip ----------- Linux -------------- Private Network > > > 200.40.10.35 192.168.1.0 > > > > > > I now need to do it in the following way: > > > > > > real Ip ----------- Linux -------------- Private network > > > 200.40.10.35 192.168.1.0 > > > 192.168.2.0 > > > 192.168.3.0 > > > 192.168.4.0 > > > > > > As far as I know, for what I have read, to do this I have to add to > the > > > Linux box a network card for each sub-network (which means I would > have to > > > place 4 additional network cards. > > > Is there any form of doing this with only one network card? > > > If with ipchains is the only way, could I do it with iptables? > > > > > > Thanks for your help, > > > > > > Andrés > > > > > > > > - > > : send the line "unsubscribe linux-net" in > > the body of a message to majordomo@vger.kernel.org > > > > -- > Tuan Hoang > The MITRE Corporation > tuan@optimus.mitre.org > - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
