LARTC - Sep 2002 - Routing/NAT question

Hi all,
I have a strange setup I am trying to get working. Initally I thought 
I could set it up by just setting up the correct routes. However after 
thinking about it I have convinced myself (maybe incorrectly) that I 
most likely need some sort of advanced NAT/routing setup. 

Below is a description of the networks involved:

Local net (192.168.101.0/24)
		|
		|
Linux machine eth1 (192.168.101.5)---- eth1:0 (10.140.227.245)
		|
	Iptables NAT/firewall
		|
Linux machine wan0 (This is a sangoma wanpipe with a routable ip address)
		|
		ISP

The 10.140.227.224/27 network is a private network that knows nothing about
the 192.168.101.0/24 network and is not controlled by us. Previously they
were run as 2 seperate networks. What we are trying to do is to be able to
install some custom software on the local net machines (the 192.168.101.0 net)
and have 5 specific subnets send the traffic down the 10.140... net and the
rest of the non 192.168.... traffic out the wan0 interface. Currently the
192.168... net and the 10.140..... net are on the same wire. I could split
them and put another interface in the linux box if necessary.

Is this possible? If so can someone point me in the right direction on how?
Does this even make sense? If not please let me know and I will try to
explain further. FWIW the linux box is a Red Hat 7.3 box with all of the latest
updates.

Regards,

-- 
.............Tom	"Nothing would please me more than being able to 
tdiehl@rogueind.com	hire ten programmers and deluge the hobby market 
			with good software." -- Bill Gates 1976

   			We are still waiting ....

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Tom,

I presume the iptables firewall will SNAT any connection from any of these
internal networks to the world.  Correct?

In answer to your question, I assume that your 192.168.101.0/24 network
and your 10.140.x.x networks are connected to the firewall on the same
ethernet medium.  If this is so, then you and there is no missing detail,
your first impression was correct:

You simply need to

# ip addr add 10.140.227.245/$CIDR_MASK dev eth1 label eth1:0

(or use the traditional redhat ifcfg-eth1:0 technique)

and tell the internal machines that the default gateway is 10.140.227.245.

What you are doing here is using the same ethernet for two separate IP 
networks.

If I were in your position I would absolutely add another interface for 
security and network segregation purposes, but, strictly speaking, you do 
not need to do so.

-Martin

 : Hi all,
 : I have a strange setup I am trying to get working. Initally I thought 
 : I could set it up by just setting up the correct routes. However after 
 : thinking about it I have convinced myself (maybe incorrectly) that I 
 : most likely need some sort of advanced NAT/routing setup. 
 : 
 : Below is a description of the networks involved:
 : 
 : Local net (192.168.101.0/24)
 : 		|
 : 		|
 : Linux machine eth1 (192.168.101.5)---- eth1:0 (10.140.227.245)
 : 		|
 : 	Iptables NAT/firewall
 : 		|
 : Linux machine wan0 (This is a sangoma wanpipe with a routable ip address)
 : 		|
 : 		ISP
 : 
 : The 10.140.227.224/27 network is a private network that knows nothing
 : about the 192.168.101.0/24 network and is not controlled by us.
 : Previously they were run as 2 seperate networks. What we are trying to
 : do is to be able to install some custom software on the local net
 : machines (the 192.168.101.0 net) and have 5 specific subnets send the
 : traffic down the 10.140... net and the rest of the non 192.168....
 : traffic out the wan0 interface. Currently the 192.168... net and the
 : 10.140..... net are on the same wire. I could split them and put
 : another interface in the linux box if necessary.
 : 
 : Is this possible? If so can someone point me in the right direction on how?
 : Does this even make sense? If not please let me know and I will try to
 : explain further. FWIW the linux box is a Red Hat 7.3 box with all of the
latest
 : updates.
 : 
 : Regards,
 : 
 : 

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Thu, 12 Sep 2002, Martin A. Brown wrote:

Hi Martin,

Thanks for responding.
> I presume the iptables firewall will SNAT any connection from any of these
> internal networks to the world.  Correct?
I think so, but please see below.
> In answer to your question, I assume that your 192.168.101.0/24 network
> and your 10.140.x.x networks are connected to the firewall on the same
> ethernet medium.  If this is so, then you and there is no missing detail,
> your first impression was correct:
> 
> You simply need to
> 
> # ip addr add 10.140.227.245/$CIDR_MASK dev eth1 label eth1:0
FYI $CIDR_MASK=27
> 
> (or use the traditional redhat ifcfg-eth1:0 technique)
> 
> and tell the internal machines that the default gateway is 10.140.227.245.
> 
> What you are doing here is using the same ethernet for two separate IP 
> networks.
Ok, but as I said in the diagram below my connection to the internet is on
wan0 via iptables and NAT. Will not 2 default routes confuse things? In addition
I only want traffic for 8 the following specific subnets routed down the 
10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16, 10.142.0.0/16, 
151.193.141.0/24, 162.92.160.0/24. All other traffic should go out to the 
internet via wan0. 

Does this make sense?
> 
> If I were in your position I would absolutely add another interface for 
> security and network segregation purposes, but, strictly speaking, you do 
> not need to do so.
Network security issues are minimal because the 10.140.x.x is another private
network not connected to the internet. I tend to agree with you though that 
it is most likely worth doing just to keep the traffic segerated. IMO it is 
a cleaner solution and since I already have a 3rd unused nic in the machine
I will most likely configure it as you suggest.

I am sorry for not describing this better to start with. I wish I was better
at this kind of thing.
>  : Hi all,
>  : I have a strange setup I am trying to get working. Initally I thought 
>  : I could set it up by just setting up the correct routes. However after 
>  : thinking about it I have convinced myself (maybe incorrectly) that I 
>  : most likely need some sort of advanced NAT/routing setup. 
>  : 
>  : Below is a description of the networks involved:
>  : 
>  : Local net (192.168.101.0/24)
>  : 		|
>  : 		|
>  : Linux machine eth1 (192.168.101.5)---- eth1:0 (10.140.227.245)
>  : 		|
>  : 	Iptables NAT/firewall
>  : 		|
>  : Linux machine wan0 (This is a sangoma wanpipe with a routable ip
address)
>  : 		|
>  : 		ISP
>  : 
>  : The 10.140.227.224/27 network is a private network that knows nothing
>  : about the 192.168.101.0/24 network and is not controlled by us.
>  : Previously they were run as 2 seperate networks. What we are trying to
>  : do is to be able to install some custom software on the local net
>  : machines (the 192.168.101.0 net) and have 5 specific subnets send the
>  : traffic down the 10.140... net and the rest of the non 192.168....
>  : traffic out the wan0 interface. Currently the 192.168... net and the
>  : 10.140..... net are on the same wire. I could split them and put
>  : another interface in the linux box if necessary.
>  : 
>  : Is this possible? If so can someone point me in the right direction on
how?
>  : Does this even make sense? If not please let me know and I will try to
>  : explain further. FWIW the linux box is a Red Hat 7.3 box with all of the
latest
>  : updates.
>  : 
>  : Regards,
>  : 
>  : 
> 
> 
-- 
.............Tom	"Nothing would please me more than being able to 
tdiehl@rogueind.com	hire ten programmers and deluge the hobby market 
			with good software." -- Bill Gates 1976

   			We are still waiting ....

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi Tom -

I just set up a similar situation - for traffic coming from one or more subnets,
route thru one path.  For everyone else, route through a different path.  You
need to choose a different default route, based on the where packets come from,
right?

You will want to grab a copy of Alexy K''s writeup on the new ip command
set.  In the Red Hat distro, there''s a postscript file in one of the
subdirectories someplace.  I don''t remember the exact path, but do a
find for all *.ps files and you''ll see it.  Print that .ps file on a
postscript printer and you''ll see tons of details on syntax.  Also take
a close look at the advanced routing howto.

Here''s how it works:

There are a bunch of routing tables, including the main and default tables. 
Unless a packet is somehow flagged, it will route according to what these tables
say.  So your question - wouldn''t things get really confusing if you
have more than one default route? - is absolutely valid.

But - this is the cool part - you also have more than one table, (I think up to
255 of them), and each table can have its own default route and other routing
info.

So now the challenge is - how do you decide which table to use?  That''s
where fwmark comes in.  You can set up iptables rules to match pretty much
anything relevant in a packet and apply a fwmark to it.  This is just some
number that you make up.  Later on, you put in a rule (the ip rule command) that
tells the kernel which table to use for each packet, based on the contents of
the fwmark.  So if the fwmark is, say, 13, then you would route according to the
rules of, say, table number 13.  Otherwise, just use the default tables.  (You
can also edit a file to give a name to table number 13 if you want.)  And you
can set up much more complex scenarios using source address, TCP/UDP port, IP
protocol number, you name it.

It''s always 3 steps - first an iptables rule in the mangle table that
associates some number with packets you care about, then an "ip rule"
command that associates packets with the fwmark numbers you assigned earlier to
the routing table you want.  And, of course, make sure each routing table is
populated with the correct routes.  (ip route add . . .)

Note that there is nothing special about the number 13, and the table number
doesn''t have anything to do with value of the fwmark.  I picked 13 and
used that number in both places only because today is Friday, Sept. 13.

- Greg Scott



-----Original Message-----
From: Tom Diehl [mailto:tdiehl@rogueind.com]
Sent: Friday, September 13, 2002 11:58 AM
To: Martin A. Brown
Cc: lartc@mailman.ds9a.nl
Subject: [LARTC] Re: Routing/NAT question


On Thu, 12 Sep 2002, Martin A. Brown wrote:

Hi Martin,

Thanks for responding.
> I presume the iptables firewall will SNAT any connection from any of these
> internal networks to the world.  Correct?
I think so, but please see below.
> In answer to your question, I assume that your 192.168.101.0/24 network
> and your 10.140.x.x networks are connected to the firewall on the same
> ethernet medium.  If this is so, then you and there is no missing detail,
> your first impression was correct:
> 
> You simply need to
> 
> # ip addr add 10.140.227.245/$CIDR_MASK dev eth1 label eth1:0
FYI $CIDR_MASK=27
> 
> (or use the traditional redhat ifcfg-eth1:0 technique)
> 
> and tell the internal machines that the default gateway is 10.140.227.245.
> 
> What you are doing here is using the same ethernet for two separate IP 
> networks.
Ok, but as I said in the diagram below my connection to the internet is on
wan0 via iptables and NAT. Will not 2 default routes confuse things? In addition
I only want traffic for 8 the following specific subnets routed down the 
10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16, 10.142.0.0/16, 
151.193.141.0/24, 162.92.160.0/24. All other traffic should go out to the 
internet via wan0. 

Does this make sense?
> 
> If I were in your position I would absolutely add another interface for 
> security and network segregation purposes, but, strictly speaking, you do 
> not need to do so.
Network security issues are minimal because the 10.140.x.x is another private
network not connected to the internet. I tend to agree with you though that 
it is most likely worth doing just to keep the traffic segerated. IMO it is 
a cleaner solution and since I already have a 3rd unused nic in the machine
I will most likely configure it as you suggest.

I am sorry for not describing this better to start with. I wish I was better
at this kind of thing.
>  : Hi all,
>  : I have a strange setup I am trying to get working. Initally I thought 
>  : I could set it up by just setting up the correct routes. However after 
>  : thinking about it I have convinced myself (maybe incorrectly) that I 
>  : most likely need some sort of advanced NAT/routing setup. 
>  : 
>  : Below is a description of the networks involved:
>  : 
>  : Local net (192.168.101.0/24)
>  : 		|
>  : 		|
>  : Linux machine eth1 (192.168.101.5)---- eth1:0 (10.140.227.245)
>  : 		|
>  : 	Iptables NAT/firewall
>  : 		|
>  : Linux machine wan0 (This is a sangoma wanpipe with a routable ip
address)
>  : 		|
>  : 		ISP
>  : 
>  : The 10.140.227.224/27 network is a private network that knows nothing
>  : about the 192.168.101.0/24 network and is not controlled by us.
>  : Previously they were run as 2 seperate networks. What we are trying to
>  : do is to be able to install some custom software on the local net
>  : machines (the 192.168.101.0 net) and have 5 specific subnets send the
>  : traffic down the 10.140... net and the rest of the non 192.168....
>  : traffic out the wan0 interface. Currently the 192.168... net and the
>  : 10.140..... net are on the same wire. I could split them and put
>  : another interface in the linux box if necessary.
>  : 
>  : Is this possible? If so can someone point me in the right direction on
how?
>  : Does this even make sense? If not please let me know and I will try to
>  : explain further. FWIW the linux box is a Red Hat 7.3 box with all of the
latest
>  : updates.
>  : 
>  : Regards,
>  : 
>  : 
> 
> 
-- 
.............Tom	"Nothing would please me more than being able to 
tdiehl@rogueind.com	hire ten programmers and deluge the hobby market 
			with good software." -- Bill Gates 1976

   			We are still waiting ....

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Friday, 13 September 2002, at 13:33:46 -0500,
Greg Scott wrote:
> Note that there is nothing special about the number 13, and the table
number doesn''t have anything to do with value of the fwmark.  I picked
13 and used that number in both places only because today is Friday, Sept. 13.
> 
You must be _very_ careful when dealing with "iptables" and
"ip" for
marking packets and routing them based on those marks. The numeric
argument to:
iptables -t mangle -A PREROUTING --jump MARK --set-mark 13

is a decimal number, BUT the argument to "ip" is an hexadecimal
number,
so to insert a matching "ip rule" you should do:
ip rule add fwmark D pref 10000 table whatever

NOT

ip rule add fwmark 13 pref 10000 table whatever

Hope it helps.

-- 
Jose Luis Domingo Lopez
Linux Registered User #189436     Debian Linux Woody (Linux 2.4.19-pre6aa1)
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Tom,

 : FYI $CIDR_MASK=27

Right--got it.

 : > (or use the traditional redhat ifcfg-eth1:0 technique)
 : > 
 : > and tell the internal machines that the default gateway is
10.140.227.245.
 : 
 : Ok, but as I said in the diagram below my connection to the internet is
 : on wan0 via iptables and NAT. Will not 2 default routes confuse things?

default gateway on the linux box
- - - - - - - - - - - - - - - - - -
I think you missed my drift--your linux box will have one default route to 
the T1 (wan0) peer endpoint or ISP access router.  (Yes, Greg Scott is 
right when he mentions that linux supports multiple routing tables, but 
you do not need them for this scenario.)

default gateway on internal machines
- - - - - - - - - - - - - - - - - -
Each of your internal machines which is locally connected to the same
ethernet/IP network as the linux box will use the linux box as its default
gateway.  Machines in the 10.140.227.224/27 network will use
10.140.227.245 as a default gateway.  Machines in 192.168.101.0/24 will
use 192.168.101.5 as a default gateway.

 : In addition I only want traffic for 8 the following specific subnets
 : routed down the 10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16,
 : 10.142.0.0/16, 151.193.141.0/24, 162.92.160.0/24. All other traffic
 : should go out to the internet via wan0.
 : Does this make sense?

Sure....seems clear to me.  You have a couple of internal networks 
behind a router on the locally connected 10.140.227.245/27 network.  
So, assuming that 10.140.227.254 is the gateway to your remote 
networks*:

# route add -net 10.140.0.0 netmask 255.255.0.0 gw  10.140.227.254
# route add -net 10.141.0.0 netmask 255.255.0.0 gw  10.140.227.254
# route add -net 10.142.0.0 netmask 255.255.0.0 gw  10.140.227.254
# route add -net 151.193.141.0 netmask 255.255.255.0 gw  10.140.227.254
# route add -net 162.92.160.0 netmask 255.255.255.0 gw  10.140.227.254

And repeat as necessary up to your eight subnets.

Really though, there''s nothing LARTC about this setup--sure you are
using
Sangoma''s (wonderful) T1 card, but you don''t need any of the
fancy routing
tricks and tips usually discussed in this forum.

-Martin

* If I recall correctly, you are using RedHat...you can append the
  following lines to your /etc/sysconfig/static-routes file to have these
  routes added at network restart (boot):

    eth0 net 10.141.0.0 netmask 255.255.0.0 gw  10.140.227.254
    eth0 net 10.142.0.0 netmask 255.255.0.0 gw  10.140.227.254
    eth0 net 151.193.141.0 netmask 255.255.255.0 gw  10.140.227.254   
    eth0 net 162.92.160.0 netmask 255.255.255.0 gw  10.140.227.254

  Of course, you should use the correct ethernet interface.....

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

woops (twice!)

First, Jose, thank you for correcting my error with the fwmark stuff!
> You must be _very_ careful when dealing with "iptables" and
"ip" for
> marking packets and routing them based on those marks. The numeric
> argument to:
> iptables -t mangle -A PREROUTING --jump MARK --set-mark 13
>
> is a decimal number, BUT the argument to "ip" is an hexadecimal
number,
> so to insert a matching "ip rule" you should do:
> ip rule add fwmark D pref 10000 table whatever
>
> NOT
>
> ip rule add fwmark 13 pref 10000 table whatever

Second, I went back and more carefully read Tom''s question and Martin
is right, I messed up again.  In Tom''s case, the Linux FW does not 
need to make any special routing decisions - just assign the IP Addresses
to the Ethernet interface on the FW and have the systems in the various
LANs behind the FW point to the appropriate gateway, as Martin explained.

- Greg



-----Original Message-----
From: Martin A. Brown [mailto:mabrown-lartc@securepipe.com]
Sent: Friday, September 13, 2002 5:04 PM
To: Tom Diehl
Cc: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Re: Routing/NAT question


Tom,

 : FYI $CIDR_MASK=27

Right--got it.

 : > (or use the traditional redhat ifcfg-eth1:0 technique)
 : > 
 : > and tell the internal machines that the default gateway is
10.140.227.245.
 : 
 : Ok, but as I said in the diagram below my connection to the internet is
 : on wan0 via iptables and NAT. Will not 2 default routes confuse things?

default gateway on the linux box
- - - - - - - - - - - - - - - - - -
I think you missed my drift--your linux box will have one default route to 
the T1 (wan0) peer endpoint or ISP access router.  (Yes, Greg Scott is 
right when he mentions that linux supports multiple routing tables, but 
you do not need them for this scenario.)

default gateway on internal machines
- - - - - - - - - - - - - - - - - -
Each of your internal machines which is locally connected to the same
ethernet/IP network as the linux box will use the linux box as its default
gateway.  Machines in the 10.140.227.224/27 network will use
10.140.227.245 as a default gateway.  Machines in 192.168.101.0/24 will
use 192.168.101.5 as a default gateway.

 : In addition I only want traffic for 8 the following specific subnets
 : routed down the 10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16,
 : 10.142.0.0/16, 151.193.141.0/24, 162.92.160.0/24. All other traffic
 : should go out to the internet via wan0.
 : Does this make sense?

Sure....seems clear to me.  You have a couple of internal networks 
behind a router on the locally connected 10.140.227.245/27 network.  
So, assuming that 10.140.227.254 is the gateway to your remote 
networks*:

# route add -net 10.140.0.0 netmask 255.255.0.0 gw  10.140.227.254
# route add -net 10.141.0.0 netmask 255.255.0.0 gw  10.140.227.254
# route add -net 10.142.0.0 netmask 255.255.0.0 gw  10.140.227.254
# route add -net 151.193.141.0 netmask 255.255.255.0 gw  10.140.227.254
# route add -net 162.92.160.0 netmask 255.255.255.0 gw  10.140.227.254

And repeat as necessary up to your eight subnets.

Really though, there''s nothing LARTC about this setup--sure you are
using
Sangoma''s (wonderful) T1 card, but you don''t need any of the
fancy routing
tricks and tips usually discussed in this forum.

-Martin

* If I recall correctly, you are using RedHat...you can append the
  following lines to your /etc/sysconfig/static-routes file to have these
  routes added at network restart (boot):

    eth0 net 10.141.0.0 netmask 255.255.0.0 gw  10.140.227.254
    eth0 net 10.142.0.0 netmask 255.255.0.0 gw  10.140.227.254
    eth0 net 151.193.141.0 netmask 255.255.255.0 gw  10.140.227.254   
    eth0 net 162.92.160.0 netmask 255.255.255.0 gw  10.140.227.254

  Of course, you should use the correct ethernet interface.....

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Fri, 13 Sep 2002, Martin A. Brown wrote:

Hi Martin,

First I want to apologize for my inability to explain this correctly. I feel 
pretty stupid right now. I will try again.
>  : > (or use the traditional redhat ifcfg-eth1:0 technique)
>  : > 
>  : > and tell the internal machines that the default gateway is
10.140.227.245.
>  : 
>  : OK, but as I said in the diagram below my connection to the internet is
>  : on wan0 via iptables and NAT. Will not 2 default routes confuse things?
> 
> default gateway on the linux box
> - - - - - - - - - - - - - - - - - -
> I think you missed my drift--your linux box will have one default route to 
> the T1 (wan0) peer endpoint or ISP access router.  (Yes, Greg Scott is 
> right when he mentions that linux supports multiple routing tables, but 
> you do not need them for this scenario.)
> 
> default gateway on internal machines
> - - - - - - - - - - - - - - - - - -
> Each of your internal machines which is locally connected to the same
> ethernet/IP network as the linux box will use the linux box as its default
> gateway.  Machines in the 10.140.227.224/27 network will use
> 10.140.227.245 as a default gateway.  Machines in 192.168.101.0/24 will
> use 192.168.101.5 as a default gateway.
OK, I understand this but I want the 192.168.101.0/24 machines to be able to 
talk to the 10.140.227.224/27 network also but only for the subnets listed 
below. All other traffic goes out the default route to the internet (wan0).
I am trying to eliminate the 2nd pc on some desks and to do that 
the machines on the 192.168.* net must be able to talk to the 10.* net.
> 
>  : In addition I only want traffic for 8 the following specific subnets
>  : routed down the 10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16,
>  : 10.142.0.0/16, 151.193.141.0/24, 162.92.160.0/24. All other traffic
>  : should go out to the internet via wan0.
>  : Does this make sense?
> 
> Sure....seems clear to me.  You have a couple of internal networks 
> behind a router on the locally connected 10.140.227.245/27 network.  
> So, assuming that 10.140.227.254 is the gateway to your remote 
> networks*:
> 
> # route add -net 10.140.0.0 netmask 255.255.0.0 gw  10.140.227.254
> # route add -net 10.141.0.0 netmask 255.255.0.0 gw  10.140.227.254
> # route add -net 10.142.0.0 netmask 255.255.0.0 gw  10.140.227.254
> # route add -net 151.193.141.0 netmask 255.255.255.0 gw  10.140.227.254
> # route add -net 162.92.160.0 netmask 255.255.255.0 gw  10.140.227.254
> 
> And repeat as necessary up to your eight subnets.
> 
> Really though, there''s nothing LARTC about this setup--sure you
are using
> Sangoma''s (wonderful) T1 card, but you don''t need any of
the fancy routing
> tricks and tips usually discussed in this forum.
I really love the wanpipe cards. We bought and deployed almost a dozen of them.
As far as the fancy tricks discussed here I think I really do need them but
I am just not good at explaining what I am trying to do. Sorry. :-(
> 
> * If I recall correctly, you are using RedHat...you can append the
>   following lines to your /etc/sysconfig/static-routes file to have these
>   routes added at network restart (boot):
> 
>     eth0 net 10.141.0.0 netmask 255.255.0.0 gw  10.140.227.254
>     eth0 net 10.142.0.0 netmask 255.255.0.0 gw  10.140.227.254
>     eth0 net 151.193.141.0 netmask 255.255.255.0 gw  10.140.227.254   
>     eth0 net 162.92.160.0 netmask 255.255.255.0 gw  10.140.227.254
> 
>   Of course, you should use the correct ethernet interface.....
Understood.

Thanks for the help everyone. I am not ready to give up yet. Your patience
is appreciated.

-- 
.............Tom	"Nothing would please me more than being able to 
tdiehl@rogueind.com	hire ten programmers and deluge the hobby market 
			with good software." -- Bill Gates 1976

   			We are still waiting ....

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

> but I want the 192.168.101.0/24 machines to be able to 
> talk to the 10.140.227.224/27 network also but only for the subnets listed 
> below. 
OK...here I go again, I''ll give this another shot.  

So you want your 10.xxx networks to communicate with your 192.168.xxx 
networks, right?  Both are behind a Linux FW.  The 10.xx network uses
a gateway IP also of 10.xx.  The 192.168.xxx network uses a gateway IP
in the 192.168.xxx range.  Both of these gateway IP address could be 
NICs inside the same firewall - they might even be aliases of the same
NIC but they really should be different NICs.

If this is true, then . . .

You still don''t have a problem.

Remember that a firewall is really a router with a bunch of rules to 
decide whether or not to forward packets.  The classic firewall 
installation routes between a single internal network and the Internet
so the routing part is pretty simple.  But this is really no different 
than routing among two or several internal networks and the Internet.  
Simply assign the appropriate gateway IP address to each system in the 
various networks, put in a bunch of packet filtering rules in your 
firewall, and turn on IP forwarding.  It will "know" to send traffic
between the 10.xx guys and the 192.168.xxx guys because it will be a 
member of both networks.

fwiw, I have a customer right now with 4 NICs and 4 separate internal 
networks.  We can argue about whether or not this is a good idea, but
all 4 internal networks can see all the other internal networks just
fine.  No special routes, no LARTC stuff, nothing fancy.

Now, let''s say you want to restrict one of those networks from getting
out to the Internet - no problem, you can do that with just a couple of
rules.  Put in rules in your FORWARD table that ACCEPT packets from the
networks you want, then put in a DROP rule after that.  (Or just make 
DROP your policy and then you don''t need a DROP rule.)

Did I get it right this time?

- Greg Scott



-----Original Message-----
From: Tom Diehl [mailto:tdiehl@rogueind.com]
Sent: Monday, September 16, 2002 11:35 AM
To: Martin A. Brown
Cc: lartc@mailman.ds9a.nl
Subject: [LARTC] Re: Routing/NAT question


On Fri, 13 Sep 2002, Martin A. Brown wrote:

Hi Martin,

First I want to apologize for my inability to explain this correctly. I feel 
pretty stupid right now. I will try again.
>  : > (or use the traditional redhat ifcfg-eth1:0 technique)
>  : > 
>  : > and tell the internal machines that the default gateway is
10.140.227.245.
>  : 
>  : OK, but as I said in the diagram below my connection to the internet is
>  : on wan0 via iptables and NAT. Will not 2 default routes confuse things?
> 
> default gateway on the linux box
> - - - - - - - - - - - - - - - - - -
> I think you missed my drift--your linux box will have one default route to 
> the T1 (wan0) peer endpoint or ISP access router.  (Yes, Greg Scott is 
> right when he mentions that linux supports multiple routing tables, but 
> you do not need them for this scenario.)
> 
> default gateway on internal machines
> - - - - - - - - - - - - - - - - - -
> Each of your internal machines which is locally connected to the same
> ethernet/IP network as the linux box will use the linux box as its default
> gateway.  Machines in the 10.140.227.224/27 network will use
> 10.140.227.245 as a default gateway.  Machines in 192.168.101.0/24 will
> use 192.168.101.5 as a default gateway.
OK, I understand this but I want the 192.168.101.0/24 machines to be able to 
talk to the 10.140.227.224/27 network also but only for the subnets listed 
below. All other traffic goes out the default route to the internet (wan0).
I am trying to eliminate the 2nd pc on some desks and to do that 
the machines on the 192.168.* net must be able to talk to the 10.* net.
> 
>  : In addition I only want traffic for 8 the following specific subnets
>  : routed down the 10.140.x.x pipe. They are 10.140.0.0/16, 10.141.0.0/16,
>  : 10.142.0.0/16, 151.193.141.0/24, 162.92.160.0/24. All other traffic
>  : should go out to the internet via wan0.
>  : Does this make sense?
> 
> Sure....seems clear to me.  You have a couple of internal networks 
> behind a router on the locally connected 10.140.227.245/27 network.  
> So, assuming that 10.140.227.254 is the gateway to your remote 
> networks*:
> 
> # route add -net 10.140.0.0 netmask 255.255.0.0 gw  10.140.227.254
> # route add -net 10.141.0.0 netmask 255.255.0.0 gw  10.140.227.254
> # route add -net 10.142.0.0 netmask 255.255.0.0 gw  10.140.227.254
> # route add -net 151.193.141.0 netmask 255.255.255.0 gw  10.140.227.254
> # route add -net 162.92.160.0 netmask 255.255.255.0 gw  10.140.227.254
> 
> And repeat as necessary up to your eight subnets.
> 
> Really though, there''s nothing LARTC about this setup--sure you
are using
> Sangoma''s (wonderful) T1 card, but you don''t need any of
the fancy routing
> tricks and tips usually discussed in this forum.
I really love the wanpipe cards. We bought and deployed almost a dozen of them.
As far as the fancy tricks discussed here I think I really do need them but
I am just not good at explaining what I am trying to do. Sorry. :-(
> 
> * If I recall correctly, you are using RedHat...you can append the
>   following lines to your /etc/sysconfig/static-routes file to have these
>   routes added at network restart (boot):
> 
>     eth0 net 10.141.0.0 netmask 255.255.0.0 gw  10.140.227.254
>     eth0 net 10.142.0.0 netmask 255.255.0.0 gw  10.140.227.254
>     eth0 net 151.193.141.0 netmask 255.255.255.0 gw  10.140.227.254   
>     eth0 net 162.92.160.0 netmask 255.255.255.0 gw  10.140.227.254
> 
>   Of course, you should use the correct ethernet interface.....
Understood.

Thanks for the help everyone. I am not ready to give up yet. Your patience
is appreciated.

-- 
.............Tom	"Nothing would please me more than being able to 
tdiehl@rogueind.com	hire ten programmers and deluge the hobby market 
			with good software." -- Bill Gates 1976

   			We are still waiting ....

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/