firewall/router - subnet/router - subnet

firewall/router - subnet/router - subnet

Post by S Jam » Fri, 05 Sep 2003 22:17:21

Dear networking group,

This is a posting about my network which has a Netgear ADSL Router,
behind which is a firewall/router, behind which is another router to
which a network is attached.

Initially I had the following simple network, which is working

|Netgear ADSL}  External IP: a fixed IP number
|Modem       }  Internal IP:
|                          |
|                          |
|circle:     }  External IP obtained by dhcp to Netgear, and is
|Firewall/   } Internal IP:
|NAT Router  }             |
|                          |
|                          |
|Subnet of clients on, These access internet using
|ip masq through the machine circle.

circle also has a group of filtering rules which I've set up with
iptables. It's a RH9 box. This all works fine, and machines on the
subnet all access the internet, getting MASQed through
the firewall and then through the Netgear router.

Now I wish to add subnet behind one of the machines on the subnet. This machine is called xerxes. It is also a
RH9 box. It will not do any ip packet filtering. It will actually act
as a thin client server, and the clients on the
network will be the thin clients. However, this is by the by and not
immediately relevant.

|xerxes:     }  External IP:, (by dhcp to circle)
|Router      }  Internal IP:
|                          |
|                          |
|         Subnet of clients on

Here is what I would like the .20.x clients to do: [And if it does it]

1. Access addresses on net.  [Yes]
2. Access addresses on net.  [No]
3. Access the internet, using xerxes router. [No]

And I'd like this from the members of the .10.x subnet:

4. Access addresses on net. [No]
5. Access addresses on net. [Yes]
6. Access the internet, through circle. [Yes]

And I'm currently failing to find how to do this. Can anyone help with
the ip commands that I need to execute on xerxes to do this? Also,
Redhat has a little gui for setting up the network devices, which also
has facility for setting up static routes. Does this give enough
flexibility to set up my network?

I imagine I also have to add static routes to the .20.x network on
circle, so it knows where replies to the .20.x subnet need to go. Is
this right?

Here is circle's routing table: dev eth0  proto kernel  scope link  src dev eth1  scope link dev eth1  scope link dev lo  scope link
default via dev eth0

(I don't know what the entry is, but may be related to
xerxes which happens to be running Shaolin Aptus, so I'll ignore that
for now.)

Here is xerxes' routing table: dev eth1  scope link dev eth0  proto kernel  scope link  src dev eth1  scope link dev lo  scope link
default via dev eth0

Can anyone see why it is that I am unable to access circle from one of
xerxes' clients, nor am I able to access any of the other members of
the .10.x subnet from a client on the .20.x subnet?

With best regards,

Seb James.


1. router + linux firewall = subnet ?

Hello everyone,

I'm trying to set up the system below:

        | Router | --------- (out) {Linux FireWall} (in)  ------- {Internal
I have a valid class C address for the setup, with the router being  C.1; I
don't need masquarading since all I need the linux box to do is packet

What I would like to do is assign C.2 and C.3 to the (out) and (in),
respectively, of the linux box - and the rest of the addresses C.4 - C.254
to the Internal Machines. I've read all the faqs, how-tos, etc but it's not
clear to me that it's possible since:

1. If I configure eth0\(out)\C.2\\C mask\  and then
eth1\(in)\C.3\\C mask\ the routing will be completely messed
up. Both interfaces will point to the same Class C net!

It seems as though the only ways to do it would be to:

1. Subnet the Class C into 2 subclasses with 0-128 in front of linux and
128-255 behind linux. The problem is that you either loose 128 classes or
you use them but don't protect them with the linux box.

2. Use a non-routable net behind the linux box and then use  masquarading
with ipautofw  to forward any ports from the outside in. But this
overcomplicates the setup needlessly.

3. The last option (and I don't know if it even works) is to change the IPs
and net of the router and (out) interface of Linux to a nonroutable one
(ie,, router,  and, linux). Then play with the
routing tables on the linux box to add a default route, for outbound
traffic, for eth1 (inside if) to (that of eth1)  and then a
default route of for eth0. For its part the router .... and
here it gets complicated really quick.

I have a feeling that I'm overcomplicating things and that the solution is
right in front of me. Does anyone have any thoughts ? Has anyone
implemented fixed, routable class C packet filtering going through a router

Any help or thoughts are greatly appreciated.


2. inetd / pop3d / multiple ip's

3. Router/Firewall (routed subnet)

4. Mac OS9 and Linux PPC

5. Router can't find my subnet...Help please

6. Linksys drivers question

7. Strange question - second subnet in my router


9. HELP: NFS Server over Router to other Subnet

10. Do ISDN Routers Need to be on different subnets?

11. Linux as router for 2 NT subnets ?

12. Another user on subnet taking out ISP router & mine?

13. IPMP in a different subnet and router.