routing (repost)

routing (repost)

Post by Andrey Shcherbin » Wed, 04 Apr 2001 23:31:37



Hi,

I have posted these questions before but I never get a solution that works. So, I'm trying it again.

First, I need to know where to establish static routes in Debian. The only information I can find relates to RedHat, and of course it doesn't work for Debian.

Second question is as follows:

I have a router which I have no access to. I can't event change IP address on it. My concern is security, that's why I decided to insert a Linux box between LAN and that router (kinda cheap, but considering the time I already spent setting up Linux, I could probably buy another CISCO for that time/money). I can't change LAN IP addressing, neither can I change the router IP address, so they remain with addressing on the same subnet. How can I implement a router (or is there something else could be done) where I could use firewalling and get control over that connection?

I've already received a suggestion to setup 192.168.1.1 on the interface connected to the router. It didn't work as I can ping both the router and LAN from the Linux box, but it doesn't forward any packets between them.

Then I get another suggestion to make router side interface IP address local, but remove network route from that interface and add host route. Here's what I have now and it doesn't work. Maybe I missed something?

Router IP = 57.230.65.129 255.255.255.128 (although I'm using a laptop as a router emulator with address 57.230.65.254 255.255.255.128 for testing purposes)
LAN = 57.230.65.128 255.255.255.128

Linux eth0 (LAN) = 57.230.65.251 255.255.255.128
Linux eth1 (router side) = 57.230.65.253 255.255.255.255

Then I use:
route add -host 57.230.65.254 gw 57.230.65.253 eth1

and my route table looks like this:

Destination      Gateway          Genmask            Flags  Metric   Ref     Use     Iface
57.230.65.254    57.230.65.253    255.255.255.255    UGH    0        0       0       eth1
localhost        *                255.255.255.128    U      0        0       0       eth0

I can ping eth1 from the LAN and eth0 from the router "emulator". Although I can't ping LAN from the emulator and vise versa.

Could someone please help me or point me to the right direction. All info I have is about different subnets. As I mentioned I can't change IP addressing on either the router or LAN.

Thank you,
Andrey

 
 
 

routing (repost)

Post by Glitc » Thu, 05 Apr 2001 11:49:19



TAKE out the HTML and someone might actuallly respond with help

Quote:> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
> <META content="MSHTML 5.50.4611.1300" name=GENERATOR> <STYLE></STYLE>
> </HEAD>
> <BODY>
> <DIV><FONT face="Courier New" size=2>Hi,</FONT></DIV> <DIV><FONT
> face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT face="Courier
> New" size=2>I have posted these questions before but I never get a
> solution that works. So, I'm trying it again.</FONT></DIV> <DIV><FONT
> face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT face="Courier
> New" size=2>First, I need to know where to&nbsp;establish static routes
> in Debian. The only information I can find relates to RedHat, and of
> course it doesn't work for Debian.</FONT></DIV> <DIV><FONT face="Courier
> New" size=2></FONT>&nbsp;</DIV> <DIV><FONT face="Courier New"
> size=2>Second question is as follows:</FONT></DIV> <DIV><FONT
> face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT face="Courier
> New" size=2>I have a router which I have no access to. I can't event
> change IP address on it. My concern is security, that's why I decided to
> insert a Linux box between LAN and that router (kinda cheap, but
> considering the time I already spent setting up Linux, I could probably
> buy another CISCO for that time/money). I can't change LAN IP
> addressing, neither can I change the router IP address, so they remain
> with addressing on the same subnet. How can I implement a router (or is
> there something else could be done) where I could use firewalling and
> get control over that connection?</FONT></DIV> <DIV><FONT face="Courier
> New" size=2></FONT>&nbsp;</DIV> <DIV><FONT face="Courier New"
> size=2>I've already received a suggestion to setup 192.168.1.1 on the
> interface connected to the router. It didn't work as I can ping both the
> router and LAN from the Linux box, but it doesn't forward any packets
> between them.</FONT></DIV>
> <DIV><FONT face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT
> face="Courier New" size=2>Then I get another suggestion to make router
> side interface IP address local, but remove network route from that
> interface and add host route. Here's what I have now and it doesn't
> work. Maybe I missed something?</FONT></DIV>
> <DIV><FONT face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT
> face="Courier New" size=2>Router IP = 57.230.65.129 255.255.255.128
> (although I'm using a laptop as a router emulator with address
> 57.230.65.254 255.255.255.128 for testing purposes)</FONT></DIV>
> <DIV><FONT face="Courier New" size=2>LAN = 57.230.65.128
> 255.255.255.128</FONT></DIV>
> <DIV><FONT face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT
> face="Courier New" size=2>Linux eth0 (LAN) = 57.230.65.251
> 255.255.255.128</FONT></DIV>
> <DIV><FONT face="Courier New" size=2>Linux eth1 (router side) =
> 57.230.65.253 255.255.255.255</FONT></DIV>
> <DIV><FONT face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT
> face="Courier New" size=2>Then I use:</FONT></DIV> <DIV><FONT
> face="Courier New" size=2>route add -host 57.230.65.254 gw 57.230.65.253
> eth1</FONT></DIV>
> <DIV><FONT face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT
> face="Courier New" size=2>and my route table looks like
> this:</FONT></DIV>
> <DIV><FONT face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT
> face="Courier New"
> size=2>Destination&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Gateway&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Genmask&nbsp;&nbsp;&nbsp;
> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
> Flags&nbsp;&nbsp;Metric&nbsp;&nbsp;&nbsp;Ref&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Use&nbsp;&nbsp;&nbsp;&nbsp;
> Iface</FONT></DIV>
> <DIV><FONT face="Courier New" size=2>57.230.65.254&nbsp;&nbsp;&nbsp;
> 57.230.65.253&nbsp;&nbsp;&nbsp; 255.255.255.255&nbsp;&nbsp;&nbsp;
> UGH&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
> 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eth1</FONT></DIV>
> <DIV><FONT face="Courier New" size=2>localhost&nbsp;&nbsp;&nbsp;
> &nbsp;&nbsp;&nbsp; *&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;
> &nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; 255.255.255.128&nbsp;&nbsp;&nbsp;
> U&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;
> &nbsp;&nbsp;&nbsp;
> 0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;eth0</FONT></DIV>
> <DIV><FONT face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT
> face="Courier New" size=2>I can ping eth1 from the LAN and eth0 from the
> router "emulator". Although I can't ping LAN from the emulator&nbsp;and
> vise versa.</FONT></DIV>
> <DIV><FONT face="Courier New" size=2></FONT>&nbsp;</DIV> <DIV><FONT
> face="Courier New" size=2>Could someone please help me or point me to
> the right direction. All info I have is about different subnets. As I
> mentioned I can't change IP addressing on either the router or
> LAN.</FONT></DIV> <DIV><FONT face="Courier New"
> size=2></FONT>&nbsp;</DIV> <DIV><FONT face="Courier New" size=2>Thank
> you,</FONT></DIV> <DIV><FONT face="Courier New"
> size=2>Andrey</FONT></DIV></BODY></HTML>


 
 
 

routing (repost)

Post by Andrey Shcherbin » Thu, 05 Apr 2001 20:54:55


Sorry guyz who can't read HTML in their newsreaders. I didn't realize that
it's posted that way.
Here's plain text version:

Hi,

I have posted these questions before but I never get a solution that works.
So, I'm trying it again.

First, I need to know where to establish static routes in Debian. The only
information I can find relates to RedHat, and of course it doesn't work for
Debian.

Second question is as follows:

I have a router which I have no access to. I can't event change IP address
on it. My concern is security, that's why I decided to insert a Linux box
between LAN and that router (kinda cheap, but considering the time I already
spent setting up Linux, I could probably buy another CISCO for that
time/money). I can't change LAN IP addressing, neither can I change the
router IP address, so they remain with addressing on the same subnet. How
can I implement a router (or is there something else could be done) where I
could use firewalling and get control over that connection?

I've already received a suggestion to setup 192.168.1.1 on the interface
connected to the router. It didn't work as I can ping both the router and
LAN from the Linux box, but it doesn't forward any packets between them.

Then I get another suggestion to make router side interface IP address
local, but remove network route from that interface and add host route.
Here's what I have now and it doesn't work. Maybe I missed something?

Router IP = 57.230.65.129 255.255.255.128 (although I'm using a laptop as a
router emulator with address 57.230.65.254 255.255.255.128 for testing
purposes)
LAN = 57.230.65.128 255.255.255.128

Linux eth0 (LAN) = 57.230.65.251 255.255.255.128
Linux eth1 (router side) = 57.230.65.253 255.255.255.255

Then I use:
route add -host 57.230.65.254 gw 57.230.65.253 eth1

and my route table looks like this:

Destination      Gateway          Genmask            Flags  Metric   Ref
Use     Iface
57.230.65.254    57.230.65.253    255.255.255.255    UGH    0        0
0       eth1
localhost        *                255.255.255.128    U      0        0
0       eth0

I can ping eth1 from the LAN and eth0 from the router "emulator". Although I
can't ping LAN from the emulator and vise versa.

Could someone please help me or point me to the right direction. All info I
have is about different subnets. As I mentioned I can't change IP addressing
on either the router or LAN.

Thank you,
Andrey




> TAKE out the HTML and someone might actuallly respond with help

 
 
 

routing (repost)

Post by Dean Thompso » Thu, 05 Apr 2001 22:08:19


Hi Andrey,

Quote:> First, I need to know where to establish static routes in Debian. The only
> information I can find relates to RedHat, and of course it doesn't work for
> Debian.

It would appear that Debian uses a file called route.conf to do its routing
for you.  You may also have to run a script as well to make it happen. You
might like to check the following URL out.  

http://www.rslomkow.org/Pretender/scripts/static_route.html

Quote:> Second question is as follows:
> I have a router which I have no access to. I can't event change IP address
> on it. My concern is security, that's why I decided to insert a Linux box
> between LAN and that router (kinda cheap, but considering the time I
> already spent setting up Linux, I could probably buy another CISCO for that
> time/money). I can't change LAN IP addressing, neither can I change the
> router IP address, so they remain with addressing on the same subnet. How
> can I implement a router (or is there something else could be done) where I
> could use firewalling and get control over that connection?

Well it looks like you might be backed into a corner with regards to what you
can do if you can't change the IP addressing nor changing the subnet masks
(subnetting of the network).

I would do something like this:

+------+
+ROUTER+
+------+
   +
   +
+------+
+LINUX +
+------+
   +
   +
   <----- The rest of the network goes in here

The machines in your network use your Linux machine as the gateway and then
your linux machine routes all of its data to the router.  The router can then
send all the data back to your linux (you really want to have a static route
put in there otherwise you might have to proxyarp things).  This then gives
you a firewall which you can control.

From what I have read, the Debian linux should see that it has two network
cards and automatically start IP forwarding provided the kernel has it
compiled in.  Failing that you might have to use the ipmasqadm functions to
achieve the result.

Without any freedom to redesign your network, you will be limited in what
options are available to you.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

routing (repost)

Post by Andrey Shcherbin » Thu, 05 Apr 2001 23:50:10


Hi,


Quote:

> Hi Andrey,

> > First, I need to know where to establish static routes in Debian. The
only
> > information I can find relates to RedHat, and of course it doesn't work
for
> > Debian.

> It would appear that Debian uses a file called route.conf to do its
routing
> for you.  You may also have to run a script as well to make it happen. You
> might like to check the following URL out.

> http://www.rslomkow.org/Pretender/scripts/static_route.html

> > Second question is as follows:

> > I have a router which I have no access to. I can't event change IP
address
> > on it. My concern is security, that's why I decided to insert a Linux
box
> > between LAN and that router (kinda cheap, but considering the time I
> > already spent setting up Linux, I could probably buy another CISCO for
that
> > time/money). I can't change LAN IP addressing, neither can I change the
> > router IP address, so they remain with addressing on the same subnet.
How
> > can I implement a router (or is there something else could be done)
where I
> > could use firewalling and get control over that connection?

> Well it looks like you might be backed into a corner with regards to what
you
> can do if you can't change the IP addressing nor changing the subnet masks
> (subnetting of the network).

> I would do something like this:

> +------+
> +ROUTER+
> +------+
>    +
>    +
> +------+
> +LINUX +
> +------+
>    +
>    +
>    <----- The rest of the network goes in here

> The machines in your network use your Linux machine as the gateway and
then
> your linux machine routes all of its data to the router.  The router can
then
> send all the data back to your linux (you really want to have a static
route
> put in there otherwise you might have to proxyarp things).  This then
gives
> you a firewall which you can control.

That's exactly what I have. I just realized that the router (now it's
emulator) thinks that it resides on a LAN and tries to reach all local hosts
directly, not using any gateways (this includes returning ping requests,
doesn't it?). If that's true, is there any way to cheat it? Is there a way
to make the Linux box "invisible" to the router so it thinks that it's
connected to the LAN directly.

Sorry if the questions are lame.

Thank you,
Andrey

Quote:> From what I have read, the Debian linux should see that it has two network
> cards and automatically start IP forwarding provided the kernel has it
> compiled in.  Failing that you might have to use the ipmasqadm functions
to
> achieve the result.

> Without any freedom to redesign your network, you will be limited in what
> options are available to you.

> See ya

> Dean Thompson

> --

+____________________________+____________________________________________+

|
> | Bach. Computing (Hons)     | ICQ     - 45191180
|
> | PhD Student                | Office  - <Off-Campus>
|
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)
|
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077
|
> | Melbourne, Australia       |
|

+----------------------------+--------------------------------------------+
 
 
 

routing (repost)

Post by Dean Thompso » Thu, 05 Apr 2001 23:55:50


Hi!,

[...]

Quote:> That's exactly what I have. I just realized that the router (now it's
> emulator) thinks that it resides on a LAN and tries to reach all local
> hosts directly, not using any gateways (this includes returning ping
> requests, doesn't it?). If that's true, is there any way to cheat it? Is
> there a way to make the Linux box "invisible" to the router so it thinks
> that it's connected to the LAN directly.

That is the problem.  With no real access to the router and with the router
basically running around with a 255.255.255.0 netmask (which I presume it is
using) you will be stuck.  Personally, I would divide the subnet up and have a
group of hosts (about 6) just doing the routing stuff.  The trouble is that
your router doesn't know to send all the data to your linux box for further
processing.  As a result, everyone can use you as a gateway to get out but no
one will use you as a gateway to get in, when the router can get there itself.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

routing (repost)

Post by Andrey Shcherbin » Sat, 07 Apr 2001 04:17:40


:(((

Is there anything that would at least monitor all the traffic on LAN and
discover/log all foreign packets?


Quote:

> Hi!,

> [...]

> > That's exactly what I have. I just realized that the router (now it's
> > emulator) thinks that it resides on a LAN and tries to reach all local
> > hosts directly, not using any gateways (this includes returning ping
> > requests, doesn't it?). If that's true, is there any way to cheat it? Is
> > there a way to make the Linux box "invisible" to the router so it thinks
> > that it's connected to the LAN directly.

> That is the problem.  With no real access to the router and with the
router
> basically running around with a 255.255.255.0 netmask (which I presume it
is
> using) you will be stuck.  Personally, I would divide the subnet up and
have a
> group of hosts (about 6) just doing the routing stuff.  The trouble is
that
> your router doesn't know to send all the data to your linux box for
further
> processing.  As a result, everyone can use you as a gateway to get out but
no
> one will use you as a gateway to get in, when the router can get there
itself.

> See ya

> Dean Thompson

> --

+____________________________+____________________________________________+

|
> | Bach. Computing (Hons)     | ICQ     - 45191180
|
> | PhD Student                | Office  - <Off-Campus>
|
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)
|
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077
|
> | Melbourne, Australia       |
|

+----------------------------+--------------------------------------------+
 
 
 

routing (repost)

Post by Dean Thompso » Sat, 07 Apr 2001 09:58:47


Hi Andrey,

Quote:> Is there anything that would at least monitor all the traffic on LAN and
> discover/log all foreign packets?

You can use packages like SNORT and TCPDUMP to inspect the inside of packets
and you can use ipchains to log the destination and source address of the
packets.  It sounds to me however, that you are getting pretty close to the
issues of privacy on the network...

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

routing (repost)

Post by Andrey Shcherbin » Sun, 08 Apr 2001 01:41:07


SNORT looks good. The only question is:

My servers, routers and hubs connected to a routing switch, and workstations
connected to hubs. Is it still possible to monitor network in this case? If
yes, where do I connect the monitoring station?

Thanks,
Andrey


Quote:

> Hi Andrey,

> > Is there anything that would at least monitor all the traffic on LAN and
> > discover/log all foreign packets?

> You can use packages like SNORT and TCPDUMP to inspect the inside of
packets
> and you can use ipchains to log the destination and source address of the
> packets.  It sounds to me however, that you are getting pretty close to
the
> issues of privacy on the network...

> See ya

> Dean Thompson

> --

+____________________________+____________________________________________+

|
> | Bach. Computing (Hons)     | ICQ     - 45191180
|
> | PhD Student                | Office  - <Off-Campus>
|
> | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)
|
> | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077
|
> | Melbourne, Australia       |
|

+----------------------------+--------------------------------------------+
 
 
 

routing (repost)

Post by Andrey Shcherbin » Sun, 08 Apr 2001 05:36:00


OK, got it. I'm going to connect the router I need to monitor on the same
hub with the sensor station.


> SNORT looks good. The only question is:

> My servers, routers and hubs connected to a routing switch, and
workstations
> connected to hubs. Is it still possible to monitor network in this case?
If
> yes, where do I connect the monitoring station?

> Thanks,
> Andrey



> > Hi Andrey,

> > > Is there anything that would at least monitor all the traffic on LAN
and
> > > discover/log all foreign packets?

> > You can use packages like SNORT and TCPDUMP to inspect the inside of
> packets
> > and you can use ipchains to log the destination and source address of
the
> > packets.  It sounds to me however, that you are getting pretty close to
> the
> > issues of privacy on the network...

> > See ya

> > Dean Thompson

> > --

+____________________________+____________________________________________+
Quote:> > | Dean Thompson              | E-mail  -


Quote:> |
> > | Bach. Computing (Hons)     | ICQ     - 45191180
> |
> > | PhD Student                | Office  - <Off-Campus>
> |
> > | School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)
> |
> > | MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077
> |
> > | Melbourne, Australia       |
> |

+----------------------------+--------------------------------------------+

- Show quoted text -

 
 
 

routing (repost)

Post by Dean Thompso » Sun, 08 Apr 2001 12:54:48


Hi Andrey,

Quote:> SNORT looks good. The only question is:

> My servers, routers and hubs connected to a routing switch, and
> workstations connected to hubs. Is it still possible to monitor network in
> this case? If yes, where do I connect the monitoring station?

That could be difficult, you either want to target the "gateway" machine where
it all comes together or take a look at your routing switch and see whether it
provides support for a monitoring network point.  I know that on some CISCO
and Catalyst switches that I have had in the past, there was always an option
inside the system to specify that a certain port was the monitoring port.
This allows protocol analysers to sit on the port and listening to all the
traffic.  You will have to dig out the old manual and see what you can find.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

routing (repost)

Post by Vincent Zweij » Wed, 11 Apr 2001 20:59:28





||  > I would do something like this:
||  >
||  > +------+
||  > +ROUTER+
||  > +------+
||  >    +
||  >    +
||  > +------+
||  > +LINUX +
||  > +------+
||  >    +
||  >    +
||  >    <----- The rest of the network goes in here
||  >
||  > The machines in your network use your Linux machine as the gateway and
||  > then your linux machine routes all of its data to the router.  The router
||  > can then send all the data back to your linux (you really want to have a
||  > static route put in there otherwise you might have to proxyarp things).
||  > This then gives you a firewall which you can control.

||  That's exactly what I have. I just realized that the router (now it's
||  emulator) thinks that it resides on a LAN and tries to reach all local
||  hosts directly, not using any gateways (this includes returning ping
||  requests, doesn't it?). If that's true, is there any way to cheat it? Is
||  there a way to make the Linux box "invisible" to the router so it thinks
||  that it's connected to the LAN directly.

The previous poster already mentioned the cheat.  It's proxy arp.

Basically, it lets your linux machine claim to the router that it owns
all IP addresses for the whole internal network.

Good luck.                                                    Vincent.
--

<http://www.xs4all.nl/~zweije/>      | don't read, does anybody get burnt?"
[Xhost should be taken out and shot] |            -- Paul Tomblin on a.s.r.

 
 
 

routing (repost)

Post by Dean Thompso » Thu, 12 Apr 2001 13:16:09


Hi!,



>|| > I would do something like this:
>|| >
>|| > +------+
>|| > +ROUTER+
>|| > +------+
>|| >    +
>|| >    +
>|| > +------+
>|| > +LINUX +
>|| > +------+
>|| >    +
>|| >    +
>|| >    <----- The rest of the network goes in here
>|| >
>|| > The machines in your network use your Linux machine as the gateway and
>|| > then your linux machine routes all of its data to the router.  The
>|| > router can then send all the data back to your linux (you really want
>|| > to have a static route put in there otherwise you might have to
>|| > proxyarp things). > This then gives you a firewall which you can
>|| > control.
>|| That's exactly what I have. I just realized that the router (now it's
>|| emulator) thinks that it resides on a LAN and tries to reach all local
>|| hosts directly, not using any gateways (this includes returning ping
>|| requests, doesn't it?). If that's true, is there any way to cheat it? Is
>|| there a way to make the Linux box "invisible" to the router so it thinks
>|| that it's connected to the LAN directly.

> The previous poster already mentioned the cheat.  It's proxy arp.

> Basically, it lets your linux machine claim to the router that it owns
> all IP addresses for the whole internal network.

Yes, but as you mentioned it is a cheat.  Surely a better designed network
would be better :)

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

1. IPmasq/Routing reposting w/updates

This is a repost, but I have some other things I wanted to ask about:

I have asked this question b/4, and gotten some very thoughtful and
helpful replies, but I think I failed to ask the proper question, so
here goes again:

I have a Debian Linux box w/ 3 interfaces:
ppp0 : dials up to cable company and ONLY outbound traffic goes upstream

eth0 : connects directly to cable modem. Only inbound traffic from
internet comes this way
eth1 : connected to hub on local network

I need to use ip masquerade (i think) to hide the machine on my local
lan.

Addresses:
ppp0 : real.ip.addr.ess netmask 255.255.255.0
eth0 : 10.0.0.1 netmask 255.255.255.240
eth1 : 192.168.1.1 netmask 255.255.255.0

I am having a real bear getting this to work.
I have tried ipfwadm w/2.0.36 and ipchains w/2.2.1 kernels. I think it
is a matter of the weird routing that must occur. ppp interface only
handles outbound traffic, eth0 is only incoming from the internet,
eth1 is on local lan w/ only one client.
If anyone can give me a clue, it would be (as clues always are) greatly
appreciated.

Is there a way for me to masq the 192.168.x.x traffic and route traffic
from 10.0.0.1 interface to my ppp interface to get ipmasq to work?

In other words, since ppp0 only is outbound for parts unknown, and eth0
is return traffic destined for my ppp interface, can I trick ipmasq to
expect return traffic on another interface or to route return traffic
from the cable modem< not destined for linux machine, to my ppp
interface, and have ipmasq sense it properly and return it to my client
on the 192.168.x.x segment?

Peace

2. Install patch for snmpdx on Solaris 8

3. Classless routing on SCO Repost

4. Managing configuration of unix site

5. Routing Problems with SunISDN: Repost with better subject

6. problems with ppp

7. Repost: RH5.0 with eth0 and sl0 routing

8. Converting csh to sh

9. reposted ipmasq/routing Question w/update

10. [REPOST][REPOST] Killing processes in D state

11. route problem: route forgot to specify route netmask.

12. Routing problem with source-based routing and routing packets back to sender machine.

13. building routing tables or listening to OSPF route information?