On Sun, 2004-01-25 at 13:53, William Knop wrote: > Okay, the problem is that we don't want to do nat (as I said in my > original plee for help). We need external ips on all of the machines. > Additionally, The ISP's DHCP server specifies it's own gateway, so I > can't do normal routing, without spoofing the gateway's address and > doing all sorts of ugly stuff (please correct me if I'm wrong). > > > I was under the impression one could have iptables drop a packet from > the prerouting or brouting table and it would go through the machine's > routing table, without being specified on all the lan machines as the > gateway. > > > The physical layout we have are a bunch of boxes connected to a > switch, and the dsl modem connected to the switch's uplink port. I > could have the modem jack into a firewall box, or something, however > the linux ethernet bridge seems to do very odd things to arps, and > also iptables. Would bridging be necessary? > > > <snip> This may not be as bad as it sounds and it my be a netfilter issue. Looking at the topology, I would assume that there are several devices on the same public subnet connect through the switch to the DSL modem in which case they should talk to each other directly on that subnet without sending the data across the DSL modem. But am I correct to understand that even though these devices share the same switch and the same DSL modem that they are allocated public addresses out of different IP subnets? If that is the case, the best solution is to install a second NIC into each device and create a separate private network as already suggested. Barring that, you can create a second, logical network on the same media. Use iproute2 to bind a second address to each of the public interfaces. These will all come from the same subnet and should be able to communicate with each other. Just be sure to use the secondary address when sending data between those devices. ip address add dev0 192.168.1.4/24 ip address add dev0 192.168.1.5/24 ip address add dev0 192.168.1.6/24 . . . etc. This is a bit dangerous as these devices are still publicly exposed and the ISP may allow traffic on RFC1918 addresses on their internal networks so you may want to tightly secure the devices even for traffic from these "private" addresses using iptables. This is the sort of set up that we use on our internal routers to participate in the worldwide VPN project (http://www.worldwidevpn.com). Good luck - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@xxxxxxxxxxxxx --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net
