/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! /* ALSO: Don't quote this header. It makes you look lame :-) */ Hello to all the networking-gurus out there! Sorry if this is a double posting, but my first try was before I subscribed, so I think it didn't get to anybody.. Also sorry for the length, but I can't cut it much shorter. I had a problem with a slightly "non-standard" configuration of the Linux Routing, Masquerading and Portforwarding capabilities. It took me 3 days to get it working (and several postings in this mailing list helped me). BUT: I still don't fully understand WHY it works! I have the following: - An SDSL Router which gives me 6 "official" IP-adresses. - A Linux-PC as Firewall with several NICs, 3 of them used. One of the NICs is directly connected to the SDSL-device. This is eth1 in the Linux-box, and it has one IP-Alias eth1:0 using another of the 6 adresses: IP_INET=X.Y.Z.242 (eth1) IP_INET2=X.Y.Z.244 (eth1:0) IP_ROUTER=X.Y.Z.241 (DSL-Device) defaultroute : IP_ROUTER (via eth1) Two Company-LANs are connected (via the other 2 NICs) and IP-Masqueraded: LAN1=192.168.1.0/24 LAN2=192.168.0.0/24 ipchains -A forward -s $LAN1 -p tcp -j MASQ ipchains -A forward -s $LAN2 -p tcp -j MASQ (The Gate runs a caching only nameserver, so no UDP outside is allowed.) In each company there is one server to be connected via port-forwarding. (One www, one mailserver) First, the Input is allowed in: ipchains -A input -d $IP_INET 80 -p tcp -i $eth1 -j ACCEPT ipchains -A input -d $IP_INET2 25 -p tcp -i $eth1 -j ACCEPT Here is the first thing I didn't know before: ipchains seems to know only the physical device eth1! If I substitute it with $eth1:0 in the second rule, no packets get through. The Forwarding itself: ipmasqadm portfw -a -P tcp -L $IP_INET 80 -R www.1stcompany.de 80 ipmasqadm portfw -a -P tcp -L $IP_INET2 25 -R mail.othercompany.de 25 Now the Problem is how to get the packets from LAN2 out through the right alias. On this I found a posting which suggested marking the packets with an ipchains-rule on input and to use an "ip rule add fwmark xx nat ..." to get the adress changed. This did not work for me. I tried the simpler rule: ip rule add from $LAN2 nat $IP_INET2 and it works! I did not have to add any additional routing tables with source-based routing or such things. BUT: I can access machines on LAN1 from machines on LAN2 and vice versa. Why does this rule not modify these packets' source adresses? Only packets to the internet get modified (and accidentally, this is what I want.) It seems that this ip-nat-thing only works in conjunction with Masquerading. Could anyone clear things up a little? Thanks a lot and a happy new (millenium-bugless) year! _______________________________________________ Masq maillist - [EMAIL PROTECTED] Admin requests can be handled at http://www.indyramp.com/masq-list/ -- THIS INCLUDES UNSUBSCRIBING! or email to [EMAIL PROTECTED] PLEASE read the HOWTO and search the archives before posting. You can start your search at http://www.indyramp.com/masq/ Please keep general linux/unix/pc/internet questions off the list.
