Derick: Thanks very much for your response. However as I mentioned in my previous email, box A and C have 2 interfaces. Issue here is that any packet coming in on Eth2/Eth3 for 192.168.0.x needs to be routed to Eth2/Eth3 only, not to Eth1 (which is local interface). For example, if Box C pings Box A on 192.168.0.1, Box B intercepts that becuase it has 192.168.0.1 as its local interface and starts to respond back to Box C. Thanks Dave --- Derick Anderson <danderson@xxxxxxxxx> wrote: > If the drawing is messed up I apologize - Outlook doesn't seem to like > plain-text stuff. > > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Derick > Anderson > Sent: Thursday, August 04, 2005 1:01 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: RE: Help needed for a box with 4 Ethernet Interfaces > > Wow. First, let's give some names to each box so we both know which one > I'm referring to. The box (box "B" in your diagram) with 4 interfaces is > your router. Boxes A, C, and D will be called as "internal boxes" as a > group. > > You must realize that you can't set up interfaces on your router with > the same IP address. If you want Box A to connect to Box B, /through/ > the router (rather than say, through a hub), then you must either > separate the subnets or bridge the two interfaces. > > Secondly, each of your internal boxes must use the same subnet as the > interface they connect to. For example, according to your diagram, Box C > has an address of 192.168.0.2, and is attempting to connect to > 21.21.21.9. Unless your netmask (usually 255.255.255.0) is 0.0.0.0, Box > C will not be connecting to your router by design. > > Third, a loopback interface is not a physical interface, it is a virtual > one and is set to 127.0.0.1 (as I recall the entire 127.0.0.0/8 network > is reserved for it). Your box cannot function as a "loopback interface." > > Now as to your goals - can I ask what exactly you are trying to do? In > order to separate each of these boxes, I'll redo your diagram for you: > > > ------------ > > -----------------------------| Box D | > 172.16.6.10 | 192.168.0.1/24 > | | > Mgmt Port<---------------------| | > ------------ > | | 192.168.0.1 > 192.168.0.2 > Eth0 | | Eth1 (for internal > network) > ------------ ------------ > ------------ > | Box A |________________________| Box B > |________________________| Box C | > | | Eth2| | Eth3 > | | > ------------ 10.1.1.0/24 ------------ 21.21.21.0/24 > ------------ > 10.1.1.1 10.1.1.1 21.21.21.1 > 21.21.21.2 > > This will allow your boxes (given the correct routing tables on your > router) to actually communicate with the router. You can then use > iptables to decide which packets can go where. For (a partial) example: > > $IPT -P FORWARD DROP > $IPT -A FORWARD -i eth2 -o eth3 -j ACCEPT $IPT -A FORWARD -i eth3 -o > eth2 -j ACCEPT $IPT -A FORWARD -i eth0 -j ACCEPT $IPT -A FORWARD -o eth0 > -j ACCEPT > > So what you are doing here is accepting packets that are coming [i]nto > eth2 and going [o]ut eth3, into eth3 and out eth2, and anything destined > to go in or out eth0 (determined by your routing tables) will be > allowed. > > You could (and should) use iptables to ensure that the appropriate IPs > are going out the appropriate interfaces, in addition to the proper > ports, but there's a bunch of neat guides on www.netfilter.org you > should look at before doing too much on your own. You should also > consider learning a lot more about networking. > > Hope that helps, and if I missed anything here someone will point it out > (that's my money-back guarantee). > > Derick Anderson > > > -----Original Message----- > From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx > [mailto:netfilter-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Dave Johnson > Sent: Thursday, August 04, 2005 12:12 PM > To: netfilter@xxxxxxxxxxxxxxxxxxx > Subject: Help needed for a box with 4 Ethernet Interfaces > > Hi All: > I need help to setup my box with some complicated configuration. > > I have a box with 4 Ethernet Interfaces: > > Eth0: 172.16.6.10 > Eth1: 192.168.0.1/24 > Eth2: 10.1.1.0/24 ------> Connected to a box A with an IP address > of 192.168.0.2 > Eth2: 21.21.21.9/24 ------> Connected to a box C with an IP address > of 192.168.0.1 (which is > same as IP address of Eth1) > > Loopback Interface: 192.168.0.3 > > ------------ > > -----------------------------| Box D | > 172.16.6.10 | > | | > Mgmt Port<---------------------| | > ------------ > | | 192.168.0.1 > 192.168.0.2 > Eth0 | | Eth1 (for internal > network) > ------------ ------------ > ------------ > | Box A |________________________| Box B > |________________________| Box C | > | | Eth2| | Eth3 > | | > ------------ 10.1.1.0/24 ------------ 21.21.21.9/24 > ------------ > 192.168.0.1 192.168.0.3 > 192.168.0.2 > > Here is what I want to do: > Packets from Eth2 should only go to Eth3 except the ones detined to > Eth0's IP. > Packets from Eth3 should only go to Eth2 except the ones detined to > Eth0's IP. > Local packets destined for Eth1's ip and its subnet should be forwarded > via Eth1 only. > Packets from Eth1 can only be directed to Eth0. > > This will allow me to ping Box A (192.168.0.1) from Box C (192.168.0.2) > without getting a response from Box B who has local interface with > address 192.168.0.1. > > Basically I want to isolate interfaces in 2 groups: > One with Eth0, Eth2 and Eth3 > Second with Eth0 and Eth1. > > I tried IPtables and multiple routing tables but it did not work. I > think I need some directions as to how would this even be possible. > > Thanks > > Dave. > > > > __________________________________________________ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > > > ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
