Three NICs, three LANs, only one must be MASQued

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, everyone. I decided to write to the list because, frankly, I've been overwhelmed by this problem, and I couldn't find any previously solved similar issue.
Here's the scenario:
I manage a network with a proxy server (running SQUID and IPTABLES, kernel 2.4.18-14) which used to have two NICs, both networks attached to those NICs with public IP addresses. Recently, we had to put a third NIC in the proxy, with private reserved (10.0.0.x) addresses. So, we had to masquerade all the traffic from the two "internal" networks. Here's the diagram:

     INTERNET
            |                              (public IPs network(A))
            |                             /
(corporative LAN)-----(proxy)<
                                          \
                                           (private IPs network(B))

So far, so good, but the point is that I need the servers in the (A) network to maintain their IPs, since they're well known in the net. And also we need the hosts in the (B) network to be masqued, since their IPs cannot be routed over the internet.
My questions are:
a) Are there any way to masquerade only the (B) network? Currently, I have a line like this in the *nat section of the /etc/sysconfig/iptables file:
-A POSTROUTING -o eth0 -j MASQUERADE
b) Is there any better way to do this?

ok, I think you'll get it better if I post the iptables script, so here it goes:

Remarks: 163.10.5.75 is the outer interface (eth0), 163.10.7.126 is the NIC of the "public" inner network, and 10.0.0.1 is the address of the "private" inner network.

# Generated by iptables-save v1.2.6a on Tue Feb 3 11:44:12 2004
*nat
:PREROUTING ACCEPT [28330:2376442]
:POSTROUTING ACCEPT [2964:192723]
:OUTPUT ACCEPT [22208:1482370]
-A PREROUTING -d ! 163.10.5.75 -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
#-A PREROUTING -s 163.10.7.114 -i eth1 -p tcp -m tcp -j ACCEPT
-A PREROUTING -d ! 163.10.5.75 -i eth2 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue Feb 3 11:44:12 2004
# Generated by iptables-save v1.2.6a on Tue Feb 3 11:44:12 2004
*filter
:INPUT ACCEPT [475802:357605367]
:FORWARD ACCEPT [14845:1895096]
:OUTPUT ACCEPT [1360638:579882577]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A FORWARD -i eth1 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
COMMIT

I forgot to mention that I forward all traffic from the inner interfaces to port 80 to port 3128 (SQUID)

Any suggestions will be very wellcomed

Oh, and finally, sorry about my English, I learned by post mail, and I managed to choice the worst time to do this, since the postmans were on strike... ;-)

                   Luis Hernán Otegui
                 Administrador de Red
            Facultad de Ciencias Exactas
                             UNLP
----------------------------------------------------
GNU-GPL: "May The Source Be With You..."
----------------------------------------------------

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger: http://messenger.latam.msn.com/


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux