Icmp redirect hardly could work because this feature is to dangeraous to even enable. ip route add (5) via (4) sounds abnormal, I suppose 4 is client, so how you can route through yourself. if you want to avoid router, then you need to make local resources to be within client netmask address space. or else they will be accessed through default gateway, which is that router. ----- Original Message ----- From: "raptor" <raptor@tvskat.net> To: <lartc@mailman.ds9a.nl> Sent: Monday, April 12, 2004 11:24 PM Subject: [LARTC] installing automatic routes ?> hi, > > I have this : > <snip> > .... several CMTS-cable-bridges(3). > I have gateway a linux-router(2) (firewall/Shaper too), with eth0 pointingto the> CMTS-bridges.. > Things behind the ethernet interface of the cmts-bridges includes FTP,WEB,DNS ets> servers... > on the cable side are thousands of modems and CPE''s (computers...). > Currently the network traffic always passes torught linux-router-eth0interface ''cause> all cable modems and CPE has it as a gateway device.. > (eth0 is aliased as ~10 interfaces with all classC nets gateways i.e.eth0:1,eth0:2> ....) > That is why I have at least 10 class-C networks laying in one Ethernetsegment,> but on the other hand they are logicaly (i.e. IP level) separated by thegateway/s..> > I dont want to include separate machine as router, ''cause this willcomplicate the> the network.. and is yet another point of failure... > ( I prefer flat-net, probably adding more linux-routers/bridges side byside, but not one> behind another) > > I also see something very interesting the traffic that passes fromcable-network to> the FTP server for example goes trough linux-router, but then it returnsdirectly to> the cable-net (for some unknown reson, probaly ''cause cmts-bridges areapr-proxies!!!> still wondering, any idea is welcome.. :''"'') ) > instead of returning it back torught linux-router which is GOOD(tm) for me:''"'')..> > Finally what I want is upstream traffic to go directly to FTP serverinstead torught> linux-router-gateway. > Pic : > > > Internet(1) <-->linuxrouter(2) <---|---> cmts-bridges(3) <---> CATV > (alot of net''s)(4) > || > || > local-resources(ftp,web,dns) (5) > > So the traffic at the moment is : 4->3->(2)->5->3->4 > I want it to be : 4->3->5->3->4 > > > If I install route like this on some computer in (4) like this : > > ip route add (5) via (4) > > It works the way I want, but :''"'') instead of doing it on every comp in(4), I want> to > install it automaticaly, so I thought is there a way to insert some routes!! in (5)> (to return icmp-redirects, will this work) so that after several packets(4) to adjust> their > tables automaticaly... > > If yes HOW !? if no is there other way to do it ? > > tia > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Unless the bridge keeps stateful inspection data and can reply back to the session''s origin, not it route then its fine. The only way I can see this working is either putting the FTP/.. DMZ behind the firewall giving true firewall protection for all services involved, or if you just want to kludge the current solution, you can perform a DNAT/SNAT interface bounce like the following: # Session iptables -A PREROUTING --destination ${FAKE_FTP_IP} -p tcp --dport 21 -j MARK 1234 iptables -A PREROUTING --destination ${FAKE_FTP_IP} -p tcp --dport 21 -j DNAT ${MY_FTP_SERVER} iptables -A POSTROUTING -m mark 1234 -j SNAT --to ${MY_INTERNAL_IP} The above should work for single channel TCP/IP traffic, but I don''t know if more is needed for multi-session FTP. The RELATED streams may be handled automatically in the NAT code, or you may have to explicitly place rules into the code. Of course, the identity of the FTP user can''t be tracked on the FTP server since they all appear to be coming from the firewall in question. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
hi, I have this : <snip> .... several CMTS-cable-bridges(3). I have gateway a linux-router(2) (firewall/Shaper too), with eth0 pointing to the CMTS-bridges.. Things behind the ethernet interface of the cmts-bridges includes FTP,WEB, DNS ets servers... on the cable side are thousands of modems and CPE''s (computers...). Currently the network traffic always passes torught linux-router-eth0 interface ''cause all cable modems and CPE has it as a gateway device.. (eth0 is aliased as ~10 interfaces with all classC nets gateways i.e. eth0:1,eth0:2 ....) That is why I have at least 10 class-C networks laying in one Ethernet segment, but on the other hand they are logicaly (i.e. IP level) separated by the gateway/s.. I dont want to include separate machine as router, ''cause this will complicate the the network.. and is yet another point of failure... ( I prefer flat-net, probably adding more linux-routers/bridges side by side, but not one behind another) I also see something very interesting the traffic that passes from cable-network to the FTP server for example goes trough linux-router, but then it returns directly to the cable-net (for some unknown reson, probaly ''cause cmts-bridges are apr-proxies!!! still wondering, any idea is welcome.. :") ) instead of returning it back torught linux-router which is GOOD(tm) for me :").. Finally what I want is upstream traffic to go directly to FTP server instead torught linux-router-gateway. Pic : Internet(1) <-->linuxrouter(2) <---|---> cmts-bridges(3) <---> CATV (alot of net''s)(4) || || local-resources(ftp,web,dns) (5) So the traffic at the moment is : 4->3->(2)->5->3->4 I want it to be : 4->3->5->3->4 If I install route like this on some computer in (4) like this : ip route add (5) via (4) It works the way I want, but :") instead of doing it on every comp in (4), I want to install it automaticaly, so I thought is there a way to insert some routes !! in (5) (to return icmp-redirects, will this work) so that after several packets (4) to adjust their tables automaticaly... If yes HOW !? if no is there other way to do it ? tia _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/