Landry, Marc-Andre wrote:
Benjamen R. Meyer wrote:
Ramon van Alteren wrote:
BRM wrote:
<Snip lots of lines>
I've tried the following:
route_eth1("default via ${COMMAND_STRING_TO_EXTRACT_IP_OF_ETH1}")
I fail to see how this could ever work, adding a default route for an
interface with the ip-address of the same interface.
Oops...that should have been:
route_eth1("default via ${COMMAND_STRING_TO_EXTRACT_IP_OF_ETH0}")
typo in the original.
Anyhow as other point out, why would you do such. One thing to keep in
mind : there could be only one default gateway route other are static.
Nope, not so.
I run a firewall with multiple default gateways because it has multiple
internet uplinks which load-balance and failover traffic from one to the
other.
With iproute2 you can specify multiple routing tables and rules to
divide traffic over them, very useful
See: http://lartc.org/howto/lartc.rpdb.multiple-links.html
<snip>
Don't forget to setup a routing variable within /proc to enable the routing.
Huh ?
Just don't route between the two network...
Example :
For a normal house there will not be 254 machine connected to the
network. So let mask it down a little bit. I use a mask of 29 bits at
home as I planned to never have more then 5 computer connected. But let
say you may have a lan party with 10 computer all wired : a mask of 28
bits would give you plenty of room for such but we will used a 26 bits
mask. And you still have your girlfriend (or wife) that want to play
some song from the internet and she used her beloved Mac Book Pro (hey
this is an example).
1) eth0 : DHCP client will setup the default route.
2) eth1
network IP : 192.168.1.64
netmask : 255.255.255.192
router IP : 192.168.1.65 (would be also the default gateway for all the
machine connected to that lan)
broadcast IP : 192.168.1.127
available IP range : 192.168.1.66 to 192.168.1.126
3) eth2 (wlan) :
network IP : 192.168.1.128
netmask : 255.255.255.192
router IP : 192.168.1.129 (same as above)
broadcast IP : 192.168.1.191
available IP range : 192.168.1.130 to 192.168.1.190
You can of course limit the broadcast domain on your internal network
and I am certainly not stopping you, it's an interesting exercise in
subnetting.
However, I would caution against it. CIDR en non-byte boundary
subnetting are not exactly the simplest things in networking to do
correctly and if you have no requirement for setting that up, then why
add the complexity.
Seeing wireless clients and wired clients in the same ip-space looks
confusing at first glance.
Setting them up in separate /24 ip-spaces makes it easier to grok the
networking setup in case of problems.
4) iptables -A FORWARD -i eth1 -o eth2 -j DENY; iptables -A FORWARD -i
eth1 -o eth2 -j DENY; echo "Home network are isolated from each other
now!";echo "DONE : Girlfriend's laptop will not see anything on the
network... else of the noise, she shall not notice any change.";
This is what I scheme for a router project using a GX1 with 4 network
devices (3 where used actually)
Basic Diagram:
+-------server--------+
| |
Internet <-> - eth0 |
| ^ |
| | |
| +->Firewall |
| ^ ^ |
| | | |
| | +--->eth1 - <-> LAN1
| | | |
| +--=--->eth2 - <-> DMZ
| | |
| +--->eth3 - <-> LAN2 (was plug to a DLink)
| |
+---------------------+
So I had to do a little routing rules with iptables so that I would have
no access to LAN1 or LAN2 from my DMZ else the request came from my LAN.
Can't recall the rules as my box died not so long ago (I shall have
documented it). For LAN1 & LAN2 I had : iptables -A FORWARD -i eth1 -o
eth2 -j ACCEPT; iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT and of
course iptables -P FORWARD DROP so that by default I deny any forward
without telling anyone. Useful to hide a little more your network.
Hope it gives you hint on how to start on the wright foot.
Anyhow it gives you keyword to put into google or any other crawler you
like.
Writing iptables rules by hand is cool, and good exercise in
understanding iptables and networking.
Using a wrapper package like shorewall gives you instant access to a lot
of the advanced features of iptables without the associated learning curve.
Apart from that, shorewall has a "admin_is_absent_minded" setting which
saved my butt on a couple of occasions now :-)
Regards,
Ramon
--
[EMAIL PROTECTED] mailing list
