Ray, Thanks for the response. Answers/comments inline:
>Offhand, I cannot think of a way to do what you want to do. Control of >gateway addresses is a function of the routing table, not of ipchains or >iptables. But perhaps I'm missing something. It might help if you clarified >a couple of things in your most recent posting. >First, when you say the old router "could reach them all externally or >internally via the public IP" what is the "the" IP you mean? Do you mean >all 6 addresses were reachable via (probably) proxy arp? Or do you only >mean the servers had reachable services via port forwarding? Or something else? The machines I'm referring to had IPs in the same subnet(mask/gateway) as the external interface on the router. One thing I do know is that the old router had both interfaces plugged into the same switch, which is one of the things I'm trying to correct. >Second, while I understand (though do not really sympathize with) your >desire to keep the IP addresses themselves secret, we really do need to >know the relationship between the "xx.xx.xx" in "xx.xx.xx.25" and the >"xxx.xxx.xxx" in "xxx.xxx.xxx.141". Are they on the same /24, to be specific? Once I'm up and firewalled properly I'll be happy to publish them :) Not same /24. Where I have "xx" above, it indicates two actual digits, and for the other, three. Anyway, here are the specifics: xx.xx.xx.26-30 subnet mask 248 gw xx.xx.xx.25 xxx.xxx.xxx.142 subnet masklen 252 gw xxx.xxx.xxx.141 Traceroutes to both address types take same path to their destination. >If so, it *might* work to cheat ... let the rotuer and *all* the servers use "xx.xx.xx.25", or perhaps "xxx.xxx.xxx.141", as their gateway. Incoming traffic will still (probably) flow through the separate gateways ... but IP-based routing is, by design, quite tolerant of using different routes in the different directions. (Actually, it might work to do this cheat even if the 2 networks are not part of the same /24; it depends on configuration decisions at the ISP's end.) Understood. I will try it. Am I correct in saying that both of these addresses have to reachable in 1 hop from the firewall?? >If you try this, you will need a route on the router to "xxx.xxx.xxx.141", so it can receive traffic from that gateway and acknowledge it. But it need not be a gateway entry, just an ordinary route. Ok. >Finally, am I correct in inferring that these two external networks --- xx.xx.xx.24/29 and xxx.xxx.xxx.140/30 -- are on the same physical interface (eth0, I imagine) ... the same DSL or T1 or whatever? If they are on different interfaces, most of what I've said does not make sense for you ... and you'll have to give us those details to get good advice. They are on the same interface, same T1, which is what made it confusing to me. - Bob Coffman ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
