On Tue, 12 Mar 2002 09:55:13 -0500 "Baines, Dominic" <[EMAIL PROTECTED]> wrote:
> Thanks Richard, > > ...I'd seen the example but that is not applicable for use > with the external interface. > > The 192.168.100. subnet is behaind one firewall connected > to the internet... the 192.168.200. subnet is behind > another firewall somewhere else on the internet... You're fighting a couple of basic problems before you can get to the point of routing traffic... 1. 192.168.*.* is _not_ directly routable over the Internet -- see http://www.ietf.org/rfc/rfc1918.txt 2. Since these [sub]nets are not routable over the 'net, you have to establish a virtual link between them to allow connectivity. Alternatively, you can use NAT at both gateways; but that will not allow transparent any-to-any connectivity between the 2 subnets -- just client to remote service. 3. Any virtual link should be part of a "routed" network; a "switched" (bridged) network will waste bandwidth with broadcasts/multicasts... while a "virtual link" is not a real link, it *does* use real bandwidth over a real link... but you already knew that... :^) More below... > -----Original Message----- > From: Richard Bown [mailto:[EMAIL PROTECTED]] > Sent: 12 March 2002 12:14 > To: linux-expert > Subject: Re: [expert] Bastille firewall setup - missing options ? > > lookin /sbin/bastille-netfilter > there is an example of routing between different subnets on the internal > interface. > > <snip> > > On Tue, 2002-03-12 at 11:32, Baines, Dominic wrote: > > Is there a way to do these with Bastille: > > > > 1. Port forward say ssh (22) to more than one host internally ? > > say something like: > > port 99922 to host 1:22 > > port 99822 to host 2:22 > > port 99722 to host 3:22 I must've missed the announcement that port numbers higher than 65535 were now allowed... :^) A suggestion: use 22xxx where xxx is the last octet of the IP address at the far-end. Works either way; hosts local to each other can just use 22 (at each location). A LinkSys router is *supposed* to be able to do that; but seems to have problems which I'm still fighting with LinkSys over (see http://pfortin.com/Linux/LinkSys/) You should be able to connect the two subnets with iptables NAT in the gateways at both ends (http://www.netfilter.org), then ssh > > I can only seem to enable just single host port forwarding and it is a > > bit limiting. Combining ssh with NAT should work -- haven't done it myself; but the architecture allows it AFAIK... just takes some planning and meticulous table creation. > > 2. Connect a whole remote network (actually 3 systems behind another > > Bastille firwall also NAT'd...) to the local network . > > > > Local network 192.168.100. network > > Remote network 192.168.200. network > > > > What I'd like to do is setup both systems so that they KNOW that the > > gateway to the other is through the firewall... > > > > I used be able to do this 'simply' enough by adding rules to both > > firewalls to tell them the other network gateway was the PUBLIC IP > > address of the other firewall... > > > > Can't seem to do this, with Bastille .... Suspect that each gateway should know about each other at the global Internet level in order to provide a virtual link which the 2 192.168 segments should treat as a point-to-point inter-router/gateway link. > > 3. Use the Bastille firewall system as a VPN server. Ideally 2 uses > > these or a remote user would.. > > > > Has anyone else been able to accomplish any of these tasks whilst not > > completely mitigating the use of Bastille (which is what I'm faced > > with otherwise) ? Not sure of the details; but I get the impression you are not viewing this problem as: 1. virtual link between sites 2. 192.168.100.* and 192.168.200.* uses the virtual link between gateways 3. The virtual link may also need to be an IP subnet; if so, suggest using 192.168.255.{1,2}. BUT... since I haven't actually done this, I'm probably blowing in the wind... :^) HTH, Pierre
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
