routing firewall (no masq), please help

routing firewall (no masq), please help

Post by Alex » Fri, 19 Oct 2001 03:16:01



I am not a complete newbie. I read all related howtos on Linuxdoc, but I
can't figure this out.
I am trying to set up a router+firewall on RedHat7.1 box. I am not using
masquerading. Since computers on the lan have assigned ips. I can't setup
routing on the Linux box, since I don't have a whole C class network. And I
just can't figure out mask arithmetic.
Any help on routing will be greatly appreciated.

Here is my setup:

        ISP Gateway
        xxx.xxx.xxx.1
                 |
                 |
                V
 _______eth0________
|    xxx.xxx.xxx.129       |
|                                    |
|           LINUX             |
|                                    |
|       198.168.1.1          |
|_______eth1________|
                 |
                 |
                V
Lan workstations w/ static ips:
    xxx.xxx.xxx.117
    xxx.xxx.xxx.118
    xxx.xxx.xxx.119
    xxx.xxx.xxx.120
    xxx.xxx.xxx.121
    xxx.xxx.xxx.122
    xxx.xxx.xxx.124
    xxx.xxx.xxx.128
    xxx.xxx.xxx.130
    xxx.xxx.xxx.132
    xxx.xxx.xxx.135
    xxx.xxx.xxx.145
    xxx.xxx.xxx.150
    xxx.xxx.xxx.151
    xxx.xxx.xxx.152
    xxx.xxx.xxx.153
    xxx.xxx.xxx.154
    xxx.xxx.xxx.155
    xxx.xxx.xxx.159
    xxx.xxx.xxx.160
    xxx.xxx.xxx.161

Thanks.
-Alex

 
 
 

routing firewall (no masq), please help

Post by h.follm.. » Fri, 19 Oct 2001 04:10:32


You are using the private address 192.168.1.1
You cannot do that!

if you have two if you need two ips!

--
Henning Follmann      |     8 Jane Road
Tel.: +1 908 656 7061 |     New Providence, NJ 07974

-----=  Posted via Newsfeeds.Com, Uncensored Usenet News  =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
 Check out our new Unlimited Server. No Download or Time Limits!
-----==  Over 80,000 Newsgroups - 19 Different Servers!  ==-----

 
 
 

routing firewall (no masq), please help

Post by Karl Heye » Fri, 19 Oct 2001 04:41:59




Quote:> routing on the Linux box, since I don't have a whole C class network. And I
> just can't figure out mask arithmetic.

I'm not suprised, there really isn't a mask you can use. you have gaps in the
numbers which makes masking not viable.

....

Quote:> |                                    |
> |       198.168.1.1          |
> |_______eth1________|
>                  |

Don't use the 198.168.1.1 or as I suspect the 192.168. numbers, unless you
have a LAN with those numbers on.

Quote:>                  |
>                 V
> Lan workstations w/ static ips:
>     xxx.xxx.xxx.117
>     xxx.xxx.xxx.118
>     xxx.xxx.xxx.119
>     xxx.xxx.xxx.120
>     xxx.xxx.xxx.121
>     xxx.xxx.xxx.122
>     xxx.xxx.xxx.124
>     xxx.xxx.xxx.128
>     xxx.xxx.xxx.130
>     xxx.xxx.xxx.132
>     xxx.xxx.xxx.135
>     xxx.xxx.xxx.145
>     xxx.xxx.xxx.150
>     xxx.xxx.xxx.151
>     xxx.xxx.xxx.152
>     xxx.xxx.xxx.153
>     xxx.xxx.xxx.154
>     xxx.xxx.xxx.155
>     xxx.xxx.xxx.159
>     xxx.xxx.xxx.160
>     xxx.xxx.xxx.161

The provider should give you a netmask for talking to their gateway. What you
need is to route traffic which matches with that netmask down eth0 with the
default to their gateway, but add in route to hosts for each static ip down
eth1.

eg

net          gw           mask            FLAGS  Iface
xx.xx.xx.0   0.0.0.0      255.255.255.0   U      eth0
xx.xx.xx.117 0.0.0.0      255.255.255.255 UH     eth1
xx.xx.xx.118 0.0.0.0      255.255.255.255 UH     eth1
....
....
default      xx.xx.xx.1   0.0.0.0         UG     eth0

The question you need to address is what ip should eth1 be. the 192.168
series is fine but the clients will not know how to get there, as they only
know the xx.xx.xx.0 range.

karl.

 
 
 

routing firewall (no masq), please help

Post by James Knot » Sat, 20 Oct 2001 21:48:41


You can't use the 198.162.x.x address range without maquarading, as
those are considered "local addresses", which are supposed to be
blocked by the internet.


> I am not a complete newbie. I read all related howtos on Linuxdoc, but
> I can't figure this out.
> I am trying to set up a router+firewall on RedHat7.1 box. I am not
> using masquerading. Since computers on the lan have assigned ips. I
> can't setup routing on the Linux box, since I don't have a whole C
> class network. And I just can't figure out mask arithmetic.
> Any help on routing will be greatly appreciated.

> Here is my setup:

>         ISP Gateway
>         xxx.xxx.xxx.1
>                  |
>                  |
>                 V
>  _______eth0________
> |    xxx.xxx.xxx.129       |
> |                                    |
> |           LINUX             |
> |                                    |
> |       198.168.1.1          |
> |_______eth1________|
>                  |
>                  |
>                 V
> Lan workstations w/ static ips:
>     xxx.xxx.xxx.117
>     xxx.xxx.xxx.118
>     xxx.xxx.xxx.119
>     xxx.xxx.xxx.120
>     xxx.xxx.xxx.121
>     xxx.xxx.xxx.122
>     xxx.xxx.xxx.124
>     xxx.xxx.xxx.128
>     xxx.xxx.xxx.130
>     xxx.xxx.xxx.132
>     xxx.xxx.xxx.135
>     xxx.xxx.xxx.145
>     xxx.xxx.xxx.150
>     xxx.xxx.xxx.151
>     xxx.xxx.xxx.152
>     xxx.xxx.xxx.153
>     xxx.xxx.xxx.154
>     xxx.xxx.xxx.155
>     xxx.xxx.xxx.159
>     xxx.xxx.xxx.160
>     xxx.xxx.xxx.161

> Thanks.
> -Alex

--


james.knott.

 
 
 

1. IP HELP PLEASE: Source Routing, Multiple Internet Connections, NAT, Firewalls, and NO DMZ

Dear Linux Network Gurus,

Consider the following network:
http://mywebpages.comcast.net/mgeorge3/network_layout.jpg

Summary
=======

The linux box has (3) interfaces,

eth0 can get to the Internet via a pure IP connection and to Internal
Network A via a router.
eth1 is a private network and not routed
eth2 can get to the Internet via a NAT/Firewall is directly connected to
Internal Network B.

The linux box does NOT have to route for the network, but has to do source
routing because the Firewall runs NAT and translates addresses, thus
anything that comes in from the Internet, needs to go out via the same
interface/path it came in on.  The main purpose of this server is to accept
incoming SSH connections from all interfaces and host a SQUID proxy server.

Source routing works fine using the following "ip" commands:

# Setup Source Routing for ISP#1
ip rule add from 159.138.101.44 lookup 1
ip route add 0/0 via 159.138.101.3 table 1
# Setup Source IP Routing for ISP#2
ip rule add from 148.9.200.210 lookup 2
ip route add 0/0 via 148.9.200.4 table 2

However, I can not seem to construct rules/routes that get traffic initiated
from the server to the respective networks.

For example, if I add this: "ip route add 158.138.52.0 via 159.138.101.3
table 1"

I would expect an traffic destined for 159.138.52.0 to be forwarded to the
router interface 159.138.101.3, however both traceroute and ping fail.  Even
if I put in a static route using the "route add -net 159.138.52.0 netmask
255.255.255.0 gw 159.138.101.3", I still can't get packets to leave the
server.

To make it even more complex, the 148.9.200.210 is tricky since the
Inbound/Outbound interface are the same.  This interface doesn't have a DMZ
and there are hosts sitting on the subnet.

I have been racking my brain on this for 2 days and reading everything I can
find on IP, but there isn't an example for my situation.   I am sick of
driving out to the console of this server everytime I hose up the routing
tables.  I have found many fine examples, but they do not address my
particular situation.  This may just be something that the "ip route/rule"
command can't handle, but I doubt it.

Fine Examples:
http://www.linuxgrill.com
http://www.samag.com

As always, I appreciate the insight and help from this newgroup.
I don't think I'll figure this solution out on my own anytime soon.

-Michael George

<--

2. Q: samba problem

3. Help on firewall ruleset for routing X (Exceed) thru the Linux firewall

4. Help! Hetting Boot Image!

5. HELP ! install on laptop

6. route insists on using dns, ifconfig on modifying the routing table... please help me!

7. ld troubles

8. Firewall help please. Pretty please.

9. routing mulitple providers, routes, rules, and masq

10. Firewall/Router without MASQ doesn't work, help

11. Need help with Quakeworld client behind masq'd firewall.

12. Help setting up firewall and IP-Masq