iptables routing help

iptables routing help

[William Knop]

Hello,
My dsl provider has my house on several subnets (ips obtained via dhcp, 
along with a netmask of 255.255.255.0), so I have had to screw around 
with each machine to make sure local traffic doesn't flood the dsl 
modem. To remedy this, I've been trying to set up a firewall box to 
basically reroute those three subnets as local, but I'm finding it very 
difficult. It seems like every doc out there only addresses nat, which 
is definitely not what we want. I'd greatly appreciate some help 
accomplishing this.

Thanks much,
William

Re: iptables routing help

[Alexis]

im not shure if i can understand the schema, could be more specific?

thanks


----- Original Message ----- 
From: "William Knop" <w_knop@hotmail.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, January 24, 2004 6:25 PM
Subject: iptables routing help


> Hello,
> My dsl provider has my house on several subnets (ips obtained via dhcp, 
> along with a netmask of 255.255.255.0), so I have had to screw around 
> with each machine to make sure local traffic doesn't flood the dsl 
> modem. To remedy this, I've been trying to set up a firewall box to 
> basically reroute those three subnets as local, but I'm finding it very 
> difficult. It seems like every doc out there only addresses nat, which 
> is definitely not what we want. I'd greatly appreciate some help 
> accomplishing this.
> 
> Thanks much,
> William
> 
> 
> 
> 

Re: iptables routing help

[Antony Stone]

On Saturday 24 January 2004 9:25 pm, William Knop wrote:

> Hello,
> My dsl provider has my house on several subnets (ips obtained via dhcp,
> along with a netmask of 255.255.255.0), so I have had to screw around
> with each machine to make sure local traffic doesn't flood the dsl
> modem. To remedy this, I've been trying to set up a firewall box to
> basically reroute those three subnets as local, but I'm finding it very
> difficult. It seems like every doc out there only addresses nat, which
> is definitely not what we want. I'd greatly appreciate some help
> accomplishing this.

This is not a netfilter question - in fact quite the opposite - it is an IP 
routing question, which netfilter will only help to interfere with.

All netfilter would do for you in a case like this is help to drop packets 
which would otherwise be routed.   Netfilter doesn't route packets - that's 
the job of the normal routing table.

Many times on this list a question is answered with "get your basic routing 
working first, then start implementing netfilter rules to drop things you 
don't want."   In your case the correct routing table entries will solve your 
problem - there's almost certainly no need for netfilter to be involved 
except as the perimeter firewall just before your networks hit the DSL.

I suggest you start with something like 
http://www.linux.org/docs/ldp/howto/Networking-Overview-HOWTO.html or 
http://www.linux.org/docs/ldp/howto/IP-Subnetworking.html - alternatively a 
standard IP book such as O'Reilly's "TCP/IP Network Administration" by Craig 
Hunt will tell you what you need.

The main thing is to make sure you don't have netfilter rules blocking what 
your routing table would otherwise allow between your local subnets.

Hope this helps,

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

Re: iptables routing help

[Antony Stone]

On Saturday 24 January 2004 9:25 pm, William Knop wrote:

> Hello,
> My dsl provider has my house on several subnets (ips obtained via dhcp,
> along with a netmask of 255.255.255.0), so I have had to screw around
> with each machine to make sure local traffic doesn't flood the dsl
> modem.

An alternative solution to this would be to set up a nice simple internal 
network for whatever machines you want to run, doing your own DHCP etc, and 
then hide all these behind a single firewall talking to the DSL modem on a 
single external IP address.

Unless you actually have a need for multilple external addresses, this is 
probably your best solution, as it means you remain in control of your 
internal network addressing, not your ISP.

Regards,

Antony.

-- 
There's no such thing as bad weather - only the wrong clothes.

 - Billy Connolly

                                                     Please reply to the list;
                                                           please don't CC me.

Re: iptables routing help

[William Knop]

[-- Attachment #1: Type: text/plain, Size: 1590 bytes --]

Say I want to transfer a file from one computer to another in my house. 
Since they are on different subnets, the data is routed out my modem to 
the gateway at my isp, and then back in my modem and to the other 
computer in my house. Ideally (in any reasonable setup), the data 
should not leave the house and flood my dsl modem with local traffic.

So, I want to grab packets destined for the gateway (via a 
firewall/iptables), check if the packet is destined for one of the 
three local subnets, and make the packet go directly to it's 
destination. I'm not sure if this has to do with ethernet frames, 
tcp/ip, or arp or something like that, but I've tried lots of things 
with minimal success.


> im not shure if i can understand the schema, could be more specific?
>
> thanks
>
>
> ----- Original Message -----
> From: "William Knop" <w_knop@hotmail.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Saturday, January 24, 2004 6:25 PM
> Subject: iptables routing help
>
>
> > Hello,
> > My dsl provider has my house on several subnets (ips obtained via 
> dhcp,
> > along with a netmask of 255.255.255.0), so I have had to screw around
> > with each machine to make sure local traffic doesn't flood the dsl
> > modem. To remedy this, I've been trying to set up a firewall box to
> > basically reroute those three subnets as local, but I'm finding it 
> very
> > difficult. It seems like every doc out there only addresses nat, 
> which
> > is definitely not what we want. I'd greatly appreciate some help
> > accomplishing this.
> >
> > Thanks much,
> > William
> >
> >
> >
> >




[-- Attachment #2: Type: text/enriched, Size: 3185 bytes --]

<fontfamily><param>Courier</param><x-tad-bigger>Say I want to transfer
a file from one computer to another in my house. Since they are on
different subnets, the data is routed out my modem to the gateway at
my isp, and then back in my modem and to the other computer in my
house. Ideally (in any reasonable setup), the data should not leave
the house and flood my dsl modem with local traffic.


So, I want to grab packets destined for the gateway (via a
firewall/iptables), check if the packet is destined for one of the
three local subnets, and make the packet go directly to it's
destination. I'm not sure if this has to do with ethernet frames,
tcp/ip, or arp or something like that, but I've tried lots of things
with minimal success.

</x-tad-bigger></fontfamily>


<excerpt><fontfamily><param>Courier</param><x-tad-bigger>im not shure
if i can understand the schema, could be more specific?


thanks



----- Original Message ----- 

From: "William Knop"
<<</x-tad-bigger><color><param>0000,0000,EEEE</param><x-tad-bigger>w_knop@hotmail.com</x-tad-bigger></color><x-tad-bigger>>

To:
<<</x-tad-bigger><color><param>0000,0000,EEEE</param><x-tad-bigger>netfilter@lists.netfilter.org</x-tad-bigger></color><x-tad-bigger>>

Sent: Saturday, January 24, 2004 6:25 PM

Subject: iptables routing help



></x-tad-bigger><italic><x-tad-bigger> Hello,

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
My dsl provider has my house on several subnets (ips obtained via
dhcp, 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
along with a netmask of 255.255.255.0), so I have had to screw around 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
with each machine to make sure local traffic doesn't flood the dsl 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
modem. To remedy this, I've been trying to set up a firewall box to 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
basically reroute those three subnets as local, but I'm finding it
very 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
difficult. It seems like every doc out there only addresses nat, which 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
is definitely not what we want. I'd greatly appreciate some help 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
accomplishing this.

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger> 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
Thanks much,

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
William

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger> 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger> 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger> 

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger> 

</x-tad-bigger></italic></fontfamily></excerpt><fontfamily><param>Courier</param><x-tad-bigger>



</x-tad-bigger></fontfamily>

Re: iptables routing help

[Alexis]

in this case (i understand now)
Like Antony said, the better approach is to make a linux box with
netfilter as firewall and 2 nics.

One of this nics connected to the dsl modem and the other nic as the
LAN. 

So all boxes inside de lan are connected, and you must configure nat in
the linux box in order to the LAN boxes reach internet.



On Sun, 2004-01-25 at 02:31, William Knop wrote:
> Say I want to transfera file from one computer to another in my house.
> Since they are ondifferent subnets, the data is routed out my modem to
> the gateway atmy isp, and then back in my modem and to the other
> computer in myhouse. Ideally (in any reasonable setup), the data
> should not leavethe house and flood my dsl modem with local traffic.
> 
> So, I want to grab packets destined for the gateway (via
> afirewall/iptables), check if the packet is destined for one of
> thethree local subnets, and make the packet go directly to
> it'sdestination. I'm not sure if this has to do with ethernet
> frames,tcp/ip, or arp or something like that, but I've tried lots of
> thingswith minimal success.
> 
> 
>         im not shureif i can understand the schema, could be more
>         specific?
>         
>         thanks
>         
>         
>         ----- Original Message ----- 
>         From: "William Knop"<w_knop@hotmail.com>
>         To:<netfilter@lists.netfilter.org>
>         Sent: Saturday, January 24, 2004 6:25 PM
>         Subject: iptables routing help
>         
>         
>         > Hello,
>         >My dsl provider has my house on several subnets (ips obtained
>         viadhcp, 
>         >along with a netmask of 255.255.255.0), so I have had to
>         screw around 
>         >with each machine to make sure local traffic doesn't flood
>         the dsl 
>         >modem. To remedy this, I've been trying to set up a firewall
>         box to 
>         >basically reroute those three subnets as local, but I'm
>         finding itvery 
>         >difficult. It seems like every doc out there only addresses
>         nat, which 
>         >is definitely not what we want. I'd greatly appreciate some
>         help 
>         >accomplishing this.
>         > 
>         >Thanks much,
>         >William
>         > 
>         > 
>         > 
>         > 
> 
-- 
Alexis <alexis@attla.net.ar>

Re: iptables routing help

[Unknown, Alistair Tonner]

On January 25, 2004 12:31 am, William Knop wrote:
> Say I want to transfer a file from one computer to another in my house.
> Since they are on different subnets, the data is routed out my modem to
> the gateway at my isp, and then back in my modem and to the other
> computer in my house. Ideally (in any reasonable setup), the data
> should not leave the house and flood my dsl modem with local traffic.
>
> So, I want to grab packets destined for the gateway (via a
> firewall/iptables), check if the packet is destined for one of the
> three local subnets, and make the packet go directly to it's
> destination. I'm not sure if this has to do with ethernet frames,
> tcp/ip, or arp or something like that, but I've tried lots of things
> with minimal success.
>
> > im not shure if i can understand the schema, could be more specific?
> >
> > thanks
> >
> >

	Okay ...you have a LAN inside the DSL modem that has 
	externally routable IPs on different subnets, and you want
	to setup an internal routing table that knows all of these 
	hosts.

	One question ... what is the physical setup involved?

	i.e. are all the boxes involved connected directly to the DSL modem?
	is the Linux/Iptables box the only box connected to the DSL modem, and
	the downstream boxes are connected to a switch/hub off a secondary 
	interface off the firewall box?

	-- I suspect from your description we are looking at  DSLmodem/router to 
	separate boxes ...


	Alistair

Re: iptables routing help

[William Knop]

[-- Attachment #1: Type: text/plain, Size: 2509 bytes --]

Okay, the problem is that we don't want to do nat (as I said in my 
original plee for help). We need external ips on all of the machines. 
Additionally, The ISP's DHCP server specifies it's own gateway, so I 
can't do normal routing, without spoofing the gateway's address and 
doing all sorts of ugly stuff (please correct me if I'm wrong).

I was under the impression one could have iptables drop a packet from 
the prerouting or brouting table and it would go through the machine's 
routing table, without being specified on all the lan machines as the 
gateway.

The physical layout we have are a bunch of boxes connected to a switch, 
and the dsl modem connected to the switch's uplink port. I could have 
the modem jack into a firewall box, or something, however the linux 
ethernet bridge seems to do very odd things to arps, and also iptables. 
Would bridging be necessary?


> On January 25, 2004 12:31 am, William Knop wrote:
> > Say I want to transfer a file from one computer to another in my 
> house.
> > Since they are on different subnets, the data is routed out my modem 
> to
> > the gateway at my isp, and then back in my modem and to the other
> > computer in my house. Ideally (in any reasonable setup), the data
> > should not leave the house and flood my dsl modem with local traffic.
> >
> > So, I want to grab packets destined for the gateway (via a
> > firewall/iptables), check if the packet is destined for one of the
> > three local subnets, and make the packet go directly to it's
> > destination. I'm not sure if this has to do with ethernet frames,
> > tcp/ip, or arp or something like that, but I've tried lots of things
> > with minimal success.
> >
> > > im not shure if i can understand the schema, could be more 
> specific?
> > >
> > > thanks
> > >
> > >
>
>         Okay ...you have a LAN inside the DSL modem that has
>         externally routable IPs on different subnets, and you want
>         to setup an internal routing table that knows all of these
>         hosts.
>
>         One question ... what is the physical setup involved?
>
>         i.e. are all the boxes involved connected directly to the DSL 
> modem?
>         is the Linux/Iptables box the only box connected to the DSL 
> modem, and
>         the downstream boxes are connected to a switch/hub off a 
> secondary
>         interface off the firewall box?
>
>         -- I suspect from your description we are looking at  
> DSLmodem/router to
>         separate boxes ...
>
>
>         Alistair

[-- Attachment #2: Type: text/enriched, Size: 3893 bytes --]

Okay, the problem is that we don't want to do nat (as I said in my
original plee for help). We need external ips on all of the machines.
Additionally, The ISP's DHCP server specifies it's own gateway, so I
can't do normal routing, without spoofing the gateway's address and
doing all sorts of ugly stuff (please correct me if I'm wrong).


I was under the impression one could have iptables drop a packet from
the prerouting or brouting table and it would go through the machine's
routing table, without being specified on all the lan machines as the
gateway.


The physical layout we have are a bunch of boxes connected to a
switch, and the dsl modem connected to the switch's uplink port. I
could have the modem jack into a firewall box, or something, however
the linux ethernet bridge seems to do very odd things to arps, and
also iptables. Would bridging be necessary?



<excerpt><fontfamily><param>Courier</param><x-tad-bigger>On January
25, 2004 12:31 am, William Knop wrote:

></x-tad-bigger><italic><x-tad-bigger> Say I want to transfer a file
from one computer to another in my house.

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
Since they are on different subnets, the data is routed out my modem to

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
the gateway at my isp, and then back in my modem and to the other

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
computer in my house. Ideally (in any reasonable setup), the data

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
should not leave the house and flood my dsl modem with local traffic.

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
So, I want to grab packets destined for the gateway (via a

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
firewall/iptables), check if the packet is destined for one of the

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
three local subnets, and make the packet go directly to it's

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
destination. I'm not sure if this has to do with ethernet frames,

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
tcp/ip, or arp or something like that, but I've tried lots of things

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
with minimal success.

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
> im not shure if i can understand the schema, could be more specific?

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger> >

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger>
> thanks

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger> >

</x-tad-bigger></italic><x-tad-bigger>></x-tad-bigger><italic><x-tad-bigger> >

</x-tad-bigger></italic><x-tad-bigger>

        Okay ...you have a LAN inside the DSL modem that has 

        externally routable IPs on different subnets, and you want

        to setup an internal routing table that knows all of these 

        hosts.


        One question ... what is the physical setup involved?


        i.e. are all the boxes involved connected directly to the DSL
modem?

        is the Linux/Iptables box the only box connected to the DSL
modem, and

        the downstream boxes are connected to a switch/hub off a
secondary 

        interface off the firewall box?


        -- I suspect from your description we are looking at 
DSLmodem/router to 

        separate boxes ...



        Alistair

</x-tad-bigger></fontfamily></excerpt>

Re: iptables routing help

[John A. Sullivan III]

On Sun, 2004-01-25 at 13:53, William Knop wrote:
> Okay, the problem is that we don't want to do nat (as I said in my
> original plee for help). We need external ips on all of the machines.
> Additionally, The ISP's DHCP server specifies it's own gateway, so I
> can't do normal routing, without spoofing the gateway's address and
> doing all sorts of ugly stuff (please correct me if I'm wrong). 
> 
> 
> I was under the impression one could have iptables drop a packet from
> the prerouting or brouting table and it would go through the machine's
> routing table, without being specified on all the lan machines as the
> gateway. 
> 
> 
> The physical layout we have are a bunch of boxes connected to a
> switch, and the dsl modem connected to the switch's uplink port. I
> could have the modem jack into a firewall box, or something, however
> the linux ethernet bridge seems to do very odd things to arps, and
> also iptables. Would bridging be necessary? 
> 
> 
> 
<snip>
This may not be as bad as it sounds and it my be a netfilter issue. 
Looking at the topology, I would assume that there are several devices
on the same public subnet connect through the switch to the DSL modem in
which case they should talk to each other directly on that subnet
without sending the data across the DSL modem.  But am I correct to
understand that even though these devices share the same switch and the
same DSL modem that they are allocated public addresses out of different
IP subnets?

If that is the case, the best solution is to install a second NIC into
each device and create a separate private network as already suggested. 
Barring that, you can create a second, logical network on the same
media.  Use iproute2 to bind a second address to each of the public
interfaces.  These will all come from the same subnet and should be able
to communicate with each other.  Just be sure to use the secondary
address when sending data between those devices.

ip address add dev0 192.168.1.4/24
ip address add dev0 192.168.1.5/24
ip address add dev0 192.168.1.6/24 . . . etc.

This is a bit dangerous as these devices are still publicly exposed and
the ISP may allow traffic on RFC1918 addresses on their internal
networks so you may want to tightly secure the devices even for traffic
from these "private" addresses using iptables.

This is the sort of set up that we use on our internal routers to
participate in the worldwide VPN project (http://www.worldwidevpn.com). 
Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

RE: iptables routing help

[bmcdowell]

I was about to suggest the exact same thing.


Bob

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of John A.
Sullivan III
Sent: Monday, January 26, 2004 6:06 AM
To: William Knop
Cc: netfilter@lists.netfilter.org
Subject: Re: iptables routing help


On Sun, 2004-01-25 at 13:53, William Knop wrote:
> Okay, the problem is that we don't want to do nat (as I said in my
> original plee for help). We need external ips on all of the machines.
> Additionally, The ISP's DHCP server specifies it's own gateway, so I
> can't do normal routing, without spoofing the gateway's address and
> doing all sorts of ugly stuff (please correct me if I'm wrong). 
> 
> 
> I was under the impression one could have iptables drop a packet from
> the prerouting or brouting table and it would go through the machine's
> routing table, without being specified on all the lan machines as the
> gateway. 
> 
> 
> The physical layout we have are a bunch of boxes connected to a
> switch, and the dsl modem connected to the switch's uplink port. I
> could have the modem jack into a firewall box, or something, however
> the linux ethernet bridge seems to do very odd things to arps, and
> also iptables. Would bridging be necessary? 
> 
> 
> 
<snip>
This may not be as bad as it sounds and it my be a netfilter issue. 
Looking at the topology, I would assume that there are several devices
on the same public subnet connect through the switch to the DSL modem in
which case they should talk to each other directly on that subnet
without sending the data across the DSL modem.  But am I correct to
understand that even though these devices share the same switch and the
same DSL modem that they are allocated public addresses out of different
IP subnets?

If that is the case, the best solution is to install a second NIC into
each device and create a separate private network as already suggested. 
Barring that, you can create a second, logical network on the same
media.  Use iproute2 to bind a second address to each of the public
interfaces.  These will all come from the same subnet and should be able
to communicate with each other.  Just be sure to use the secondary
address when sending data between those devices.

ip address add dev0 192.168.1.4/24
ip address add dev0 192.168.1.5/24
ip address add dev0 192.168.1.6/24 . . . etc.

This is a bit dangerous as these devices are still publicly exposed and
the ISP may allow traffic on RFC1918 addresses on their internal
networks so you may want to tightly secure the devices even for traffic
from these "private" addresses using iptables.

This is the sort of set up that we use on our internal routers to
participate in the worldwide VPN project (http://www.worldwidevpn.com). 
Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: iptables routing help

[William Knop]

Unfortunately, using two interfaces isn't an option, either. A friend 
of mine suggested vpn, however there has to be a cleaner route.

I thought I could drop packets from the prerouting table and it would 
fall into the default routing table or something like that. Surely 
there has to be a way.


On Jan 26, 2004, at 11:29 AM, <bmcdowell@coxhealthplans.com> wrote:

>
> I was about to suggest the exact same thing.
>
>
> Bob
>
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of John A.
> Sullivan III
> Sent: Monday, January 26, 2004 6:06 AM
> To: William Knop
> Cc: netfilter@lists.netfilter.org
> Subject: Re: iptables routing help
>
>
> On Sun, 2004-01-25 at 13:53, William Knop wrote:
>> Okay, the problem is that we don't want to do nat (as I said in my
>> original plee for help). We need external ips on all of the machines.
>> Additionally, The ISP's DHCP server specifies it's own gateway, so I
>> can't do normal routing, without spoofing the gateway's address and
>> doing all sorts of ugly stuff (please correct me if I'm wrong).
>>
>>
>> I was under the impression one could have iptables drop a packet from
>> the prerouting or brouting table and it would go through the machine's
>> routing table, without being specified on all the lan machines as the
>> gateway.
>>
>>
>> The physical layout we have are a bunch of boxes connected to a
>> switch, and the dsl modem connected to the switch's uplink port. I
>> could have the modem jack into a firewall box, or something, however
>> the linux ethernet bridge seems to do very odd things to arps, and
>> also iptables. Would bridging be necessary?
>>
>>
>>
> <snip>
> This may not be as bad as it sounds and it my be a netfilter issue.
> Looking at the topology, I would assume that there are several devices
> on the same public subnet connect through the switch to the DSL modem 
> in
> which case they should talk to each other directly on that subnet
> without sending the data across the DSL modem.  But am I correct to
> understand that even though these devices share the same switch and the
> same DSL modem that they are allocated public addresses out of 
> different
> IP subnets?
>
> If that is the case, the best solution is to install a second NIC into
> each device and create a separate private network as already suggested.
> Barring that, you can create a second, logical network on the same
> media.  Use iproute2 to bind a second address to each of the public
> interfaces.  These will all come from the same subnet and should be 
> able
> to communicate with each other.  Just be sure to use the secondary
> address when sending data between those devices.
>
> ip address add dev0 192.168.1.4/24
> ip address add dev0 192.168.1.5/24
> ip address add dev0 192.168.1.6/24 . . . etc.
>
> This is a bit dangerous as these devices are still publicly exposed and
> the ISP may allow traffic on RFC1918 addresses on their internal
> networks so you may want to tightly secure the devices even for traffic
> from these "private" addresses using iptables.
>
> This is the sort of set up that we use on our internal routers to
> participate in the worldwide VPN project (http://www.worldwidevpn.com).
> Good luck - John
> -- 
> John A. Sullivan III
> Chief Technology Officer
> Nexus Management
> +1 207-985-7880
> john.sullivan@nexusmgmt.com
> ---
> If you are interested in helping to develop a GPL enterprise class
> VPN/Firewall/Security device management console, please visit
> http://iscs.sourceforge.net
>

Re: iptables routing help

[John A. Sullivan III]

That's understandable - inserting a second interface is quite
intrusive.  However, creating a logical interface does not require
inserting a second NIC - merely binding a second IP address to the
existing NIC - two networks running on the same NIC - John

On Mon, 2004-01-26 at 23:37, William Knop wrote:
> Unfortunately, using two interfaces isn't an option, either. A friend 
> of mine suggested vpn, however there has to be a cleaner route.
> 
> I thought I could drop packets from the prerouting table and it would 
> fall into the default routing table or something like that. Surely 
> there has to be a way.
> 
> 
> On Jan 26, 2004, at 11:29 AM, <bmcdowell@coxhealthplans.com> wrote:
> 
> >
> > I was about to suggest the exact same thing.
> >
> >
> > Bob
> >
> > -----Original Message-----
> > From: netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org]On Behalf Of John A.
> > Sullivan III
> > Sent: Monday, January 26, 2004 6:06 AM
> > To: William Knop
> > Cc: netfilter@lists.netfilter.org
> > Subject: Re: iptables routing help
> >
> >
> > On Sun, 2004-01-25 at 13:53, William Knop wrote:
> >> Okay, the problem is that we don't want to do nat (as I said in my
> >> original plee for help). We need external ips on all of the machines.
> >> Additionally, The ISP's DHCP server specifies it's own gateway, so I
> >> can't do normal routing, without spoofing the gateway's address and
> >> doing all sorts of ugly stuff (please correct me if I'm wrong).
> >>
> >>
> >> I was under the impression one could have iptables drop a packet from
> >> the prerouting or brouting table and it would go through the machine's
> >> routing table, without being specified on all the lan machines as the
> >> gateway.
> >>
> >>
> >> The physical layout we have are a bunch of boxes connected to a
> >> switch, and the dsl modem connected to the switch's uplink port. I
> >> could have the modem jack into a firewall box, or something, however
> >> the linux ethernet bridge seems to do very odd things to arps, and
> >> also iptables. Would bridging be necessary?
> >>
> >>
> >>
> > <snip>
> > This may not be as bad as it sounds and it my be a netfilter issue.
> > Looking at the topology, I would assume that there are several devices
> > on the same public subnet connect through the switch to the DSL modem 
> > in
> > which case they should talk to each other directly on that subnet
> > without sending the data across the DSL modem.  But am I correct to
> > understand that even though these devices share the same switch and the
> > same DSL modem that they are allocated public addresses out of 
> > different
> > IP subnets?
> >
> > If that is the case, the best solution is to install a second NIC into
> > each device and create a separate private network as already suggested.
> > Barring that, you can create a second, logical network on the same
> > media.  Use iproute2 to bind a second address to each of the public
> > interfaces.  These will all come from the same subnet and should be 
> > able
> > to communicate with each other.  Just be sure to use the secondary
> > address when sending data between those devices.
> >
> > ip address add dev0 192.168.1.4/24
> > ip address add dev0 192.168.1.5/24
> > ip address add dev0 192.168.1.6/24 . . . etc.
> >
> > This is a bit dangerous as these devices are still publicly exposed and
> > the ISP may allow traffic on RFC1918 addresses on their internal
> > networks so you may want to tightly secure the devices even for traffic
> > from these "private" addresses using iptables.
> >
> > This is the sort of set up that we use on our internal routers to
> > participate in the worldwide VPN project (http://www.worldwidevpn.com).
> > Good luck - John
> > -- 
> > John A. Sullivan III
> > Chief Technology Officer
> > Nexus Management
> > +1 207-985-7880
> > john.sullivan@nexusmgmt.com
> > ---
> > If you are interested in helping to develop a GPL enterprise class
> > VPN/Firewall/Security device management console, please visit
> > http://iscs.sourceforge.net
> >
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com