Benjamen R. Meyer wrote:
> Ramon van Alteren wrote:
>> BRM wrote:
>> <Snip lots of lines>
>>> I've tried the following:
>>> route_eth1("default via ${COMMAND_STRING_TO_EXTRACT_IP_OF_ETH1}")
>> I fail to see how this could ever work, adding a default route for an
>> interface with the ip-address of the same interface.
>
> Oops...that should have been:
>
> route_eth1("default via ${COMMAND_STRING_TO_EXTRACT_IP_OF_ETH0}")
>
> typo in the original.
Anyhow as other point out, why would you do such. One thing to keep in
mind : there could be only one default gateway route other are static.
>> Please describe the situation and your end-goal more clearly.
>
> Basic Diagram:
>
> +-------server--------+
> | |
> Internet <-> - eth0 |
> | ^ |
> | | |
> | +->Firewall |
> | ^ |
> | | |
> | +------>eth1 - <-> Home Network #1
> | | |
> | +------>eth2 - <-> Home Network #2
> | |
> +---------------------+
>
> End Goal:
>
> 1. The "server" shall provider router & firewall functionality in order
> to provide Internet access to itself and clients on the Home Networks.
> 2. The "firewall" shall only allow desired traffic through.
> 2.1 Desired traffic shall be defined as traffic that originates from the
> Home Network and the "server" itself; as well as allowed daemon services
> provided by the "server" itself.
Some iptables rules shall do for you. Just don't forget tracking option
into netfilter module for the kernel. emerge iptables tools.
> 3. The router shall direct traffic to the appropriate networks.
Don't forget to setup a routing variable within /proc to enable the routing.
> I could go into some more details - as I am eventually planning on doing
> some more things, like separating traffic between my "wireless" &
> "wired" systems. However, that is a future project at this point. My
> primary goal is the above so that I can replace my older server with my
> new one.
>
> Ben
Just don't route between the two network...
Example :
For a normal house there will not be 254 machine connected to the
network. So let mask it down a little bit. I use a mask of 29 bits at
home as I planned to never have more then 5 computer connected. But let
say you may have a lan party with 10 computer all wired : a mask of 28
bits would give you plenty of room for such but we will used a 26 bits
mask. And you still have your girlfriend (or wife) that want to play
some song from the internet and she used her beloved Mac Book Pro (hey
this is an example).
1) eth0 : DHCP client will setup the default route.
2) eth1
network IP : 192.168.1.64
netmask : 255.255.255.192
router IP : 192.168.1.65 (would be also the default gateway for all the
machine connected to that lan)
broadcast IP : 192.168.1.127
available IP range : 192.168.1.66 to 192.168.1.126
3) eth2 (wlan) :
network IP : 192.168.1.128
netmask : 255.255.255.192
router IP : 192.168.1.129 (same as above)
broadcast IP : 192.168.1.191
available IP range : 192.168.1.130 to 192.168.1.190
4) iptables -A FORWARD -i eth1 -o eth2 -j DENY; iptables -A FORWARD -i
eth1 -o eth2 -j DENY; echo "Home network are isolated from each other
now!";echo "DONE : Girlfriend's laptop will not see anything on the
network... else of the noise, she shall not notice any change.";
This is what I scheme for a router project using a GX1 with 4 network
devices (3 where used actually)
Basic Diagram:
+-------server--------+
| |
Internet <-> - eth0 |
| ^ |
| | |
| +->Firewall |
| ^ ^ |
| | | |
| | +--->eth1 - <-> LAN1
| | | |
| +--=--->eth2 - <-> DMZ
| | |
| +--->eth3 - <-> LAN2 (was plug to a DLink)
| |
+---------------------+
So I had to do a little routing rules with iptables so that I would have
no access to LAN1 or LAN2 from my DMZ else the request came from my LAN.
Can't recall the rules as my box died not so long ago (I shall have
documented it). For LAN1 & LAN2 I had : iptables -A FORWARD -i eth1 -o
eth2 -j ACCEPT; iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT and of
course iptables -P FORWARD DROP so that by default I deny any forward
without telling anyone. Useful to hide a little more your network.
Hope it gives you hint on how to start on the wright foot.
Anyhow it gives you keyword to put into google or any other crawler you
like.
MA Landry
--
[EMAIL PROTECTED] mailing list
