Re: routing within same nic card

["Wennie V. Lagmay" <wlagmay@xxxxxxxxxxxxx>]

Grant,

Below is my existing config:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i ! eth1 -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 953 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-net-prohibited
-A INPUT -j DROP
-A FORWARD -s 192.168.10.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.10.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 192.168.11.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.11.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 192.169.10.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.169.10.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 212.119.xxx.104/255.255.255.248 -j ACCEPT
-A FORWARD -d 212.119.xxx.104/255.255.255.248 -j ACCEPT
-A FORWARD -s 212.119.xxx.112/255.255.255.248 -j ACCEPT
-A FORWARD -d 212.119.xxx.112/255.255.255.248 -j ACCEPT
-A FORWARD -s 192.168.3.0/255.255.255.192 -d 
212.119.xxx.104/255.255.255.248 -j ACCEPT <<<<new entry
-A FORWARD -d 192.168.3.0/255.255.255.192 -s 
212.119.xxx.104/255.255.255.248 -j ACCEPT <<<<new entry

-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -p icmp -m limit --limit 1/s -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 69 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
-A OUTPUT -p udp -j REJECT --reject-with icmp-net-prohibited
-A OUTPUT -j DROP
#
COMMIT
# Completed on Thu Dec 23 08:44:33 2004
# Generated by iptables-save v1.2.8 on Thu Dec 23 08:44:33 2004
*nat
:PREROUTING ACCEPT [77:4447]
:POSTROUTING ACCEPT [85:7701]
:OUTPUT ACCEPT [85:7701]
#
-A PREROUTING -s 192.168.10.0/255.255.255.0   -p tcp -m tcp --dport 80 -j 
REDIRECT --to-ports 8080
-A PREROUTING -s 192.168.11.0/255.255.255.0   -p tcp -m tcp --dport 80 -j 
REDIRECT --to-ports 8080
-A PREROUTING -s 192.169.10.0/255.255.255.0   -p tcp -m tcp --dport 80 -j 
REDIRECT --to-ports 8080
-A POSTROUTING -s 192.168.10.0/255.255.255.0 -j SAME --nodst --to 
212.119.xxx.113-212.119.xxx.114
-A POSTROUTING -s 192.168.11.0/255.255.255.0 -j SAME --nodst --to 
212.119.xxx.115-212.119.xxx.116
-A POSTROUTING -s 192.169.10.0/255.255.255.0 -j SAME --nodst --to 
212.119.xxx.117-212.119.xxx.118
COMMIT



thanks,

wennie


----- Original Message ----- 
From: "Taylor, Grant" <gtaylor@xxxxxxxxxxxxxxxxx>
To: <netfilter@xxxxxxxxxxxxxxxxxxx>
Sent: Tuesday, May 31, 2005 9:31 AM
Subject: Re: routing within same nic card


> > Presently I have 2 NIC cards;
> > eth1 = 212.119.xxx.98/30  directly connected to internet
> > eth0 = 212.119.xxx.105/29 connected to LAN, with this setup everything is 
> > working fine
> >
> > now I need to add another network, since I cannot Add another NIC card, 
> > my solution is like this
> > eth1 = 212.119.xxx.98/30 directly connected to internet
> > eth0 = 212.119.xxx.105/29 connected to LAN1
> > eth0:1 = 192.168.3.0/26 connected to LAN2
>
> This seems reasonable enough.
>
> > I already done the 3 lines below
> > sysctl -w net.ipv4.ip_forward=1
> > iptables -A FORWARD  -s 192.168.3.0/26 -d 212.119.xxx.104/29 -j ACCEPT
> > iptables -A FORWARD  -s 212.119.xxx.104/29 -d 192.168.3.0/26 -j ACCEPT
>
> This should also work as it allows traffic between the 192.168.3.0/26 
> 212.119.xxx.104/29 networks.  I would need to see the contents of your nat 
> table POSTROUTING chain to make sure that you would not be NATing traffic 
> that you would not want.  Other than that I don't think you would have any 
> problems.  Seeing as how you are not filtering based on interface I don't 
> think you will have any issues with it.
>
>
>
> Grant. . . .