/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Trent Cook wrote:
> Hi, I will be required to set this up in about a week and am not sure if what
> Im planning on will actually function correctly. I need to have an internal
> LAN, then have 2 gateways, one to the internet, the other to a frame relay
> which connects direct to another company.
>
> Now if I setup ipchains to masq the internal subnet... is it hard to do in
> this case? I have setup ipchains before, but never with 2 different ways for
> the packets to go. It was a DG (2 nics)and that was that.
>
> If I try and setup ipchains, will I have to include routing info as well, or
> will the ipchains setup (rules) do all of that for me?
>
> For example:
>
> |
> ((Router-FRAME RELAY to other co.))ip: 167.125.174.1, sm: 255.255.255.192
> |
> |
> eth1 (ip 167.125.174.2, DG 167.125.174.1)
> |
> ((LINUX BOX))--eth2(ip 64.3.65.2, DG 64.3.65.1)-----INTERNET (via our ISP)
> |
> eth0 (ip 172.16.0.4 does this need a DG or should it have 2?)
> |
> |
> |
> INTERNAL LAN (172.16.0.*, DG 172.16.0.4)
>
> Ok, now that is the setup that will work, right? Although im not sure about 2
> DGs... should I only have the one to the internet and not have anything as a
> default gateway for the ETH1? Maybe Ill have to add some static route?
you can't have two default gateways. it a contradiction in terms :)
you need to know the networks that you will need to be able to
talk to at the other company and setup routes to those networks
via eth1. the default gateway will be for everything else (over eth2).
static routes are the way to go unless your packets are supposed to
be able to reach the internet via the other company (in case your
internet connection goes down). in that case, you'd need to investigate
a proper routing daemon (i.e. gated) and you'd need to talk with the
other company's network administrators to organise it.
> Is setting up ipchains going to be hard for this? The rules etc? Will I need
> any route adds at all, or will ipchains take care of all routing for me?
ipchains will not do any routing at all. it only filters packets.
you have to set up your routing first, independently of ipchains.
> Here is what I am thinking for ipchains rules, but I could be wayyyyyy off:
>
> ipchains -A forward -j MASQ -i eth1 -s 172.16.0.0/16 -d 0.0.0.0/0
> ipchains -A forward -j MASQ -i eth2 -s 172.16.0.0/16 -d 0.0.0.0/0
do you really need to masquerade connections to the other company?
if so, you might also need to do some port forwarding in the other
direction so they can make connections to your hosts, if that's
required. otherwise, you could be doing ordinary routing across
that interface.
> Would this be all I would have to do to accomplish this, or will the
> destination of say the first (eth1)entry have to set to something. What I
> mean is can you have two 0.0.0.0/0's? Wouldnt anywhere be outside eth2. This
> is the other co's network on the other side of their router... 167.125.179.128
> 255.255.255.192 so maybe for the first rule I should say this:
you don't need the destination and you can have 0/0 twice.
each rule is unrelated to the other. if you left off the
-i option, you could just do it in 1 rule.
> ipchains -A forward -j MASQ -i eth1 -s 172.16.0.0/16 -d 167.125.179.128/18
> ipchains -A forward -j MASQ -i eth2 -s 172.16.0.0/16 -d 0.0.0.0/0
>
> With this, would I need any routing tables manually specified for this setup,
> or would the ipchains route packets to the correct nic for me as I have
> specified a destination?
setup your routing first, then setup ipchains rules.
> Sorry to ramble on, but Im new to the routing world and have been thrown into
> the middle of the fire here :)
>
> Thanks For all your time and help guys. You wouldnt believe how much it is
> appreciated!
>
> Trent Cook
assuming that you want to masquerade outgoing connections across eth1 and eth2
but have no actual security policy (you really should think about this too),
then the following rules should do the trick:
ipchains -P input ACCEPT
ipchains -P output ACCEPT
ipchains -P forward REJECT
ipchains -A forward -s 172.16.0.0/16 -i eth1 -j MASQ
ipchains -A forward -s 172.16.0.0/16 -i eth2 -j MASQ
but note: you really should think about providing some security
otherwise your company is at risk as is the other company.
also: you probably shouldn't be masquerading connections to the
other company. i could be wrong but it doesn't sound normal to me.
of course, it dpeends on what the link is for.
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
