On So, 2003-03-01 at 10:16, Bart De Schuymer wrote:
> > OK, but i tried it with IP address on the bridge interface and i get the
> > same error message in kernel as i wrote above.
>
> I have tried the following scheme on my little test network, for both 2.5 and
> 2.4.20 + patches:
>
> eth0 = connection to Internet
> br0 = eth1+eth2
> br0 has no IP address
> iptables -t nat -A PREROUTING -s 172.16.1.2 -d 172.16.1.4 -j DNAT --to-dest
> 216.239.51.101
> route -A -net 172.16.1.0 netmask 255.255.255.0 dev br0
Thank you. I didn't have this route in my route table. When I add this
route, the message in kernel disappear. Tx.
>
> 172.16.1.2 is on the eth1 side, .4 on the eth2 side, the dest (216.239.51.101)
> is google.
> I then ping 172.16.1.4 from 172.16.1.2 and everything works as expected:
> google responds to my bridge box, which SNATs it to 172.16.1.4 and sends it
> to 172.16.1.2.
>
> Is there anything essentially different beween this setup and with yours?
> Because, with me, this works.
>
My topology is a little bit diffrent.
firewall access router
+-----------------+ +----------+
LAN -- c1router -- |eth1.1-br1-eth0.1| -- |subint1 |
LAN -- c2router -- |eth1.2-br2-eth0.2| -- |subint2 | -- internet
LAN -- c3router -- |eth1.3-br3-eth0.3| -- |subint2 |
| | eth2 | | |
/ +--------+--------+ +----------+
_/ |
routers are connected +----------+
by Catalist to FW | eth0 |
| proxy |
+----------+
firewall eth2 - 192.168.0.1
proxy eth0 - 192.168.0.2
c1-3router are customers routers for three customers. Behind routers
there are customers LANs.
Each customer is connected via firewall which is in bridgeing mode. (it
mean that default router for c1-3routers is the IP address on subint1-3
on access router) The firewall is totaly transparent. Each customer is
in diffrent bridge (br1-3) as you can see on the picture.
The firewall is connected via one physical port to the customers (eth1)
and one physical port to the internet access router (eth0). eth2 is
connected to the proxy server and it have IP address. On eth0 and eth1
are used VLANs for separating each customer traffic and eth0, eth1 and
all bridges (br1-3) dont have IP address assigned.
I forget in my add a route as i wrote above (it was the problem with the
message in kernel). But i am using more than one bridge on the firewall
machine. So i must add multiple routes for each bridge. And when I would
like to use the redirection to the proxy for traffic originated from the
internet i need to have added a DEFAULT route for each bridge. And it is
problem i think becouse i will need more default routes on one machine.
I think it is not possible, it is about virtual routing which is not
supported yet in linux, isnt?
I need somethink like this for connections originated FROM internet and
to be redirected to proxy (for traffic which will go via br1 and br3 for
example with dest port 3333 redirected to the proxy port 25):
/sbin/iptables -t nat -A PREROUTING -i br1 -p tcp --dport 3333 -j DNAT
--to-destination 192.168.0.2:25
/sbin/iptables -t nat -A PREROUTING -i br3 -p tcp --dport 3333 -j DNAT
--to-destination 192.168.0.2:25
/sbin/iptables -t nat -A POSTROUTING -o eth2 -d 192.168.0.2 -j SNAT
--to-source 192.168.0.1
route add -net 0.0.0.0 netmask 0.0.0.0 dev br1
route add -net 0.0.0.0 netmask 0.0.0.0 dev br3
I guess it is about virtual routing isnt? Is is possible to do in linux?
Thank You Bart!
Thank You all.
kolisko
> --
> cheers,
> Bart
>
--
---
Michal Kolesár
[EMAIL PROTECTED]
http://kolisko.penguin.cz
+420.777.225.297
Don't send me any attachment in Micro$oft (.DOC, .PPT) format please
Read http://www.fsf.org/philosophy/no-word-attachments.html
Preferable attachments: .PDF, .HTML, .TXT
Thanx for adding this text to Your signature
_______________________________________________
Bridge mailing list
[EMAIL PROTECTED]
http://www.math.leidenuniv.nl/mailman/listinfo/bridge
