IP HELP PLEASE: Source Routing, Multiple Internet Connections, NAT, Firewalls, and NO DMZ

IP HELP PLEASE: Source Routing, Multiple Internet Connections, NAT, Firewalls, and NO DMZ

Post by Michael Georg » Thu, 21 Feb 2002 13:15:59

Dear Linux Network Gurus,

Consider the following network:


The linux box has (3) interfaces,

eth0 can get to the Internet via a pure IP connection and to Internal
Network A via a router.
eth1 is a private network and not routed
eth2 can get to the Internet via a NAT/Firewall is directly connected to
Internal Network B.

The linux box does NOT have to route for the network, but has to do source
routing because the Firewall runs NAT and translates addresses, thus
anything that comes in from the Internet, needs to go out via the same
interface/path it came in on.  The main purpose of this server is to accept
incoming SSH connections from all interfaces and host a SQUID proxy server.

Source routing works fine using the following "ip" commands:

# Setup Source Routing for ISP#1
ip rule add from lookup 1
ip route add 0/0 via table 1
# Setup Source IP Routing for ISP#2
ip rule add from lookup 2
ip route add 0/0 via table 2

However, I can not seem to construct rules/routes that get traffic initiated
from the server to the respective networks.

For example, if I add this: "ip route add via
table 1"

I would expect an traffic destined for to be forwarded to the
router interface, however both traceroute and ping fail.  Even
if I put in a static route using the "route add -net netmask gw", I still can't get packets to leave the

To make it even more complex, the is tricky since the
Inbound/Outbound interface are the same.  This interface doesn't have a DMZ
and there are hosts sitting on the subnet.

I have been racking my brain on this for 2 days and reading everything I can
find on IP, but there isn't an example for my situation.   I am sick of
driving out to the console of this server everytime I hose up the routing
tables.  I have found many fine examples, but they do not address my
particular situation.  This may just be something that the "ip route/rule"
command can't handle, but I doubt it.

Fine Examples:

As always, I appreciate the insight and help from this newgroup.
I don't think I'll figure this solution out on my own anytime soon.

-Michael George



1. ip routing for a dmz (firewall)

I've been trying for the past week to setup a linux/ipchains firewall at my
office which has a t1 connection and a cisco router.  My routing server
(dedicated) has 3 nics, all using module eepro100. eth0 is connected to the
internet (i.e. my gateway, x.y.z.1 is there), and almost every other
routable system is off eth2.  I've got ip_masq working for non-routable
systems through eth1.
my problem is that I can't get any packets be routed across the firewall.
my current setup has x.y.z.2 on eth0 and x.y.z.4 on eth2 and on
eth1.  My masquerading works perfectly, so my guess is that i'm having a
routing problem.  either that or I need to bridge the two public nics.
I need to have addresses x.y.z.0-x.y.z.9 availible on eth0 and
x.y.z.10-x.y.z+1.255 on eth2.  what netmasks and network and broadcast
addresses should I use? How can I fugure this out for future knowledge? If
routing isn't going to fix my problem, will a bridge between do what I want?
Where can I get one?

Any help that can be offered is more than appreciated; I have been trying to
setup this firewall for the past month, but havn't been able to get the
routing table correct.

Martin Meyer

2. ximian desktop

3. Setting up DMZ, IP routing and assigning IP addresses

4. Need help ID'ing a modem card

5. What happens when Linux server is behind firewall but in "DMZ" area, w/NAT?

6. Two lans with same network number. Possible?

7. Routing for multiple Internet connections

8. screenblank

9. Multiple internet connections routing.

10. Multiple public IP's for NAT to Multiple Internal machines

11. linux routing internet/dmz/private nets

12. Routing Redundant Internet Connections Using IP Masquerading

13. 3-legged firewalls, routing between legs, the "DMZ"