* [LARTC] Firewall.routing configuration problems
@ 2005-10-20 16:40 ` Paul Lewis
0 siblings, 0 replies; 4+ messages in thread
From: Paul Lewis @ 2005-10-20 16:40 UTC (permalink / raw)
To: netfilter, lartc
Hi,
I am trying to set up a linux box to act as a router for my college. There
are two different types of users; students and conference guests, and they
have IPs statically assigned by DHCP, from separate ranges (but they are on
the same subnet). The students go out onto an academic connection (via
eth0), and conference guests go out on an ADSL line (via eth3). eth1 and
eth2 are configured for internal use.
My question is this (and I'm not 100% sure if it's a firewall or routing
issue, hence the post to both mailing lists). I have some firewall rules in
place which direct packets out to a specific ethernet device, depending on
the IP that the packet is coming from. It will probably help if I define the
IPs, subnets and netmasks etc for the ethernet devices:
eth0 Link encap:Ethernet HWaddr 00:14:22:09:FB:1A
inet addr:192.168.100.253 Bcast:192.168.100.255
Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:04:23:BB:89:9C
inet addr:192.168.7.253 Bcast:192.168.7.255 Mask:255.255.248.0
eth3 Link encap:Ethernet HWaddr 00:14:22:09:FB:1B
inet addr:192.168.20.253 Bcast:192.168.20.255 Mask:255.255.255.0
Students have an IP in the range 192.168.4.1-192.168.6.253, and conference
guests have an IP in the range 192.168.0.1-192.168.3.253. The firewall rules
for routing packets to the correct ethernet device (conference guests to
eth3 and students to eth0) are as follows:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE -o
eth3
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE -o
eth3
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE -o
eth3
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE -o
eth3
iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -j MASQUERADE -o
eth0
iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -j MASQUERADE -o
eth0
iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -j MASQUERADE -o
eth0
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j MASQUERADE -o
eth0
(The 192.168.7.0 subnet is reserved for system devices).
The default gateway for the linux box itself is 192.168.100.254, which is
the same route as the students, and so, the student rules work fine, and
they get internet perfectly well. The problem arises with conference guests;
thy do not seem to get internet access (they cannot access web pages, email,
etc), although if you try to go to a website like www.google.com, the
browser is able to determine the IP address of the website (I'm not 100%
sure if this is correct or not, and am currently not in a position to
check).
I have tried manually adding a route for each of the subnets, e.g.
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth3
But this does not seem to make any difference, even if I consequently remove
the default gateway too (the only difference that makes is that students
then lose internet access too!)
I have been advised by a friend that it could be a firewall configuration
issue, and that I need some rules to redirect incoming packets from eth3
back out on the correct interface, as at the moment they might be going from
eth3 to the default gateway. I'm not sure if this is the case, and even if
it were, I'm not sure how to construct rules to do this.
I'm sorry this is such a long post. Is anyone able to shed any light on this
situation? Any help would be *greatly* appreciated :) If any other
information about the setup is needed, I will gladly provide it...
Many thanks,
Paul
---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
JCR Computing Rep
St Anne's College
http://www.stannesjcr.org
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread* Firewall.routing configuration problems
@ 2005-10-20 16:40 ` Paul Lewis
0 siblings, 0 replies; 4+ messages in thread
From: Paul Lewis @ 2005-10-20 16:40 UTC (permalink / raw)
To: netfilter, lartc
Hi,
I am trying to set up a linux box to act as a router for my college. There
are two different types of users; students and conference guests, and they
have IPs statically assigned by DHCP, from separate ranges (but they are on
the same subnet). The students go out onto an academic connection (via
eth0), and conference guests go out on an ADSL line (via eth3). eth1 and
eth2 are configured for internal use.
My question is this (and I'm not 100% sure if it's a firewall or routing
issue, hence the post to both mailing lists). I have some firewall rules in
place which direct packets out to a specific ethernet device, depending on
the IP that the packet is coming from. It will probably help if I define the
IPs, subnets and netmasks etc for the ethernet devices:
eth0 Link encap:Ethernet HWaddr 00:14:22:09:FB:1A
inet addr:192.168.100.253 Bcast:192.168.100.255
Mask:255.255.255.0
eth1 Link encap:Ethernet HWaddr 00:04:23:BB:89:9C
inet addr:192.168.7.253 Bcast:192.168.7.255 Mask:255.255.248.0
eth3 Link encap:Ethernet HWaddr 00:14:22:09:FB:1B
inet addr:192.168.20.253 Bcast:192.168.20.255 Mask:255.255.255.0
Students have an IP in the range 192.168.4.1-192.168.6.253, and conference
guests have an IP in the range 192.168.0.1-192.168.3.253. The firewall rules
for routing packets to the correct ethernet device (conference guests to
eth3 and students to eth0) are as follows:
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE -o
eth3
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE -o
eth3
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j MASQUERADE -o
eth3
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j MASQUERADE -o
eth3
iptables -t nat -A POSTROUTING -s 192.168.4.0/24 -j MASQUERADE -o
eth0
iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -j MASQUERADE -o
eth0
iptables -t nat -A POSTROUTING -s 192.168.6.0/24 -j MASQUERADE -o
eth0
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j MASQUERADE -o
eth0
(The 192.168.7.0 subnet is reserved for system devices).
The default gateway for the linux box itself is 192.168.100.254, which is
the same route as the students, and so, the student rules work fine, and
they get internet perfectly well. The problem arises with conference guests;
thy do not seem to get internet access (they cannot access web pages, email,
etc), although if you try to go to a website like www.google.com, the
browser is able to determine the IP address of the website (I'm not 100%
sure if this is correct or not, and am currently not in a position to
check).
I have tried manually adding a route for each of the subnets, e.g.
route add -net 192.168.0.0 netmask 255.255.255.0 dev eth3
But this does not seem to make any difference, even if I consequently remove
the default gateway too (the only difference that makes is that students
then lose internet access too!)
I have been advised by a friend that it could be a firewall configuration
issue, and that I need some rules to redirect incoming packets from eth3
back out on the correct interface, as at the moment they might be going from
eth3 to the default gateway. I'm not sure if this is the case, and even if
it were, I'm not sure how to construct rules to do this.
I'm sorry this is such a long post. Is anyone able to shed any light on this
situation? Any help would be *greatly* appreciated :) If any other
information about the setup is needed, I will gladly provide it...
Many thanks,
Paul
---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
JCR Computing Rep
St Anne's College
http://www.stannesjcr.org
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [LARTC] Firewall.routing configuration problems
2005-10-20 16:40 ` Paul Lewis
(?)
@ 2005-10-20 17:03 ` Peter Surda
-1 siblings, 0 replies; 4+ messages in thread
From: Peter Surda @ 2005-10-20 17:03 UTC (permalink / raw)
To: lartc
On Thu, 20 Oct 2005 17:40:38 +0100 "Paul Lewis"
<paul.lewis@st-annes.oxford.ac.uk> wrote:
>Hi,
hi
[cut]
>The students go out onto an academic connection (via
>eth0), and conference guests go out on an ADSL line (via eth3). eth1 and
>eth2 are configured for internal use.
ok.
>The firewall rules
>for routing packets to the correct ethernet device (conference guests to
>eth3 and students to eth0) are as follows:
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE -o
>eth3
[cut]
You are mistaken here I think. This doesn't influence routing, only
masquerading. You are problably missing (in addition to what you have) policy
based routing, something like:
ip rule add from 192.168.0.0/22 table 10
ip rule add from 192.168.4.0/22 table 11
ip route add default via your_gateway_on_eth3 dev eth3 table 10
ip route add default via your_gateway_on_eth0 dev eth0 table 11
(in reality it is slightly more complicated, you need to add proper routes for
other subnets if you want them to be able to communicate with each other).
>Many thanks,
>
>Paul
Yours sincerely,
Peter
--
http://www.shurdix.org - Linux distribution for routers and firewalls
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Firewall.routing configuration problems
2005-10-20 16:40 ` Paul Lewis
(?)
(?)
@ 2005-10-20 19:17 ` /dev/rob0
-1 siblings, 0 replies; 4+ messages in thread
From: /dev/rob0 @ 2005-10-20 19:17 UTC (permalink / raw)
To: netfilter
On Thursday 2005-October-20 11:40, Paul Lewis wrote:
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE -o
> eth3
Are you thinking that the "-o eth3" will modify the behaviour of the
MASQUERADE target? It will not. It merely modifies which packets match
the rule. The above matches packets with source address 192.168.0.0/24
which are routed out device eth3.
See also SNAT, which is more appropriate with static IP addresses.
MASQUERADE is for home users and dynamic IP addresses.
IIUC your issue, which I might not because I didn't spend much time on
it, it's routing. You need to have routes for your conference guests.
Furthermore as has been suggested here to me (and I concur) you should
start unlearning route(8) and ifconfig(8) and start learning ip(8) from
iproute2, which is far more powerful and capable.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-10-20 19:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-10-20 16:40 [LARTC] Firewall.routing configuration problems Paul Lewis
2005-10-20 16:40 ` Paul Lewis
2005-10-20 17:03 ` [LARTC] " Peter Surda
2005-10-20 19:17 ` /dev/rob0
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.