> > > On Sun, Jul 16, 2006 at 05:16:32PM +0100, Linux wrote: > > > > Basically traffic coming in on eth3, needs to go out through a > > > > default gateway of 192.168.20.1 through eth0 > > > > > > > > For traffic on eth3.40 I need this to route to 192.168.40.1 via > > > > eth0.40 > > > > > > > > If that makes sense, both are wanting to go to the same IP > > > > 135.166.X.Y. > > > > > > > > To make things more complex the route 192.168.20.1\40.1 > > is running > > > > the DHCP server which I need to continue to use. > > > > > > > > I need to control traffic so that they can only access > > certain ports > > > > ranges and IPs > > > > > > > > If anyone has any suggestions on how this would be > > possible, I would > > > > be grateful. > > > > > > Now we're getting somewhere. But still missing some details. > > > > > > eth0: 192.168.20.0/24 > > > eth0.40: 192.168.40.0/24 > > > > > > eth3: what IP net? > > > eth3.40: what IP net? > > > > > > > At the moment they are the same as eth0 as they are bridged. > > > > > > > > If you want to use the same IP net on more than one > > interface you have > > > to make a bridge. > > > > > > If you want to control bridged traffic you can use either > > ebtables or > > > iptables. Bridged traffic passes through the iptables > FORWARD chain > > > with input-interface and output-interface both set to the bridge. > > > > I do see the outward going packets in iptables the reason I > > don't see the > > return I think is due to it been the return of a packet that > > has already > > been allowed through. > > > > I am going to try doing some filtering on what is and is not allowed > > tomorrow morning to see what happens. > > > > > If you want to make traffic that comes in on a bridge not > > be bridged > > > by Linux but instead be routed by Linux you have to use at > > least one > > > ebtables rule to DROP that traffic in the BROUTE ebtable as said > > > earlier. I can't say yet if you need this. > > > > > > > At the moment I require one DROP rule to make packets go > > through the VLAN > > bridge. > > > > If traffic goes from the switch to the bridge then to the > > router it works > > fine, if traffic goes from the router to the bridge then to > > the switch I > > need the DROP rule, I do not know if this is due to a setting > > in the switch > > or the router which I why I only need a rule one way. > > > > > > > > Both 192.168.20.1 and 192.168.40.1 are routers of some > > sort. Will both > > > work as default gateway and you just want to decide between > > them only > > > based on incoming source interface, or is the routing > more complex? > > > > They are both the same router just in different VLANS, in the > > current set-up > > the DHCP server hands them out as the default gateway due to > > the bridge > > configuration. > > > > The routing is not that complex, everything from the > > 192.168.40.x range > > should go to the 40.1 gateway and 182.168.20.x should go to the 20.1 > > gateway. > > > > It does get a bit more complex in that there will also be > > eth2 and eth2:40 > > which need to route the traffic as well just be isolated > from eth3 and > > eth3:40. > > > > I am not thinking if I can control the traffic using > iptables for the > > bridges, is what 2, three way bridges linking the three NICs > > eth0, eth2 and > > eth3, then use iptables to control what can access what. > > > > I then need to tell the bridge that any traffic for the > > 172.22/255.255.240.0 > > range not to be bridged but to go to the routing table, so it > > flows out of > > eth1, with iptables again controlling the traffic, I think I > > can do this > > with correctly placed ebtables rules. > > > > I have managed to get everything working except for get the 172.22 > address to escape from the bridge and hit the routing table > to be routed > over the general network, eth1 > > I think this rule should do it, but the packets seem to > disappear into no > where. > > ebtables -t broute -A BROUTING -p IPv4 --ip-destination > 172.22.240.0/20 -i > eth3 -j DROP > > I spoke to soon!! For some reason br0, with consists of eth0 and eth3 now fails. If I create a bridge with just eth0 in I can ping 192.168.20.1 If I add in eth3 to the bridge, this then fails, I see the request going out on the bridge and both interfaces to locate where 192.168.20.1 is, but I never see any replies. Has anyone got any suggestions? Thanks, Adam ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. http://www.mettoni.com **********************************************************************
