* Chain traversal with multiple internal IP subnets.
@ 2002-09-22 19:54 Jared Brick
0 siblings, 0 replies; 3+ messages in thread
From: Jared Brick @ 2002-09-22 19:54 UTC (permalink / raw)
To: netfilter
Hello everybody,
I have (for various reasons) a LAN with two gateways that internally use
three different IP subnets (don't ask). Most nodes within the LAN have a
single IP address and use one of the two gateways.
One gateway is a router with an IP address in each subnet that does no
filtering. Most hosts use this as there default gateway, and it of
course has no problem routing between the three subnets.
However the other gateway is a Linux box with two IP addresses (it only
acts as a gateway for two of the subnets) using Iptables. The gateway
itself has static routes so that it can route between the different
subnets, including the subnet for which it has no IP address. My
question in which chain will a packet traverse when it is traveling
between two different internal subnets. I think it is the FORWARD chain
but my colleague feels it would be the OUTPUT chain. I ask because I am
having trouble routing between the internal networks.
Also note that I am well aware that connection tracking is useless in
this environment (because of the different default gateways) and all the
chains are set up before any connection tracking is going on.
If anyone has any experience with a similar set up, any help would be
much appreciated.
Thanks,
Jared
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Chain traversal with multiple internal IP subnets.
[not found] <1032724445.1352.22.camel@neo.matrix.ca.>
@ 2002-09-23 1:22 ` Antony Stone
2002-09-23 6:23 ` Anders Fugmann
1 sibling, 0 replies; 3+ messages in thread
From: Antony Stone @ 2002-09-23 1:22 UTC (permalink / raw)
To: netfilter
On Sunday 22 September 2002 8:54 pm, Jared Brick wrote:
> I have (for various reasons) a LAN with two gateways that internally use
> three different IP subnets (don't ask).
Okay ... :-)
> However the other gateway is a Linux box with two IP addresses (it only
> acts as a gateway for two of the subnets) using Iptables. The gateway
> itself has static routes so that it can route between the different
> subnets, including the subnet for which it has no IP address. My
> question in which chain will a packet traverse when it is traveling
> between two different internal subnets. I think it is the FORWARD chain
> but my colleague feels it would be the OUTPUT chain. I ask because I am
> having trouble routing between the internal networks.
It is the FORWARD chain. The reasoning is simple:
Only packets which are destined for the machine running netfilter traverse
the INPUT chain.
Only packets which are originated on the machine running netfilter traverse
the OUTPUT chain.
Packets which originate on another machine and are destined for another
machine only traverse the FORWARD chain.
Of course, the above statements are for the filter tables only - all packets
coming in to a machine will traverse the PREROUTING chain (nat table) and all
packets leaving a machine will traverse the POSTROUTING chain (nat table).
The PREROUTING chain in particular may change the selection about whether the
packet terminates on this machine and enters the INPUT chain, or whether it
goes on to some other machine and therefore enters the FORWARD chain.
Netfilter does not even care about packets which enter through an interface
and then exit by the same interface - they still go through the FORWARD chain.
Hope this helps,
Antony.
--
Which part of 'apt-get dist-upgrade' do you not understand ???
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Chain traversal with multiple internal IP subnets.
[not found] <1032724445.1352.22.camel@neo.matrix.ca.>
2002-09-23 1:22 ` Chain traversal with multiple internal IP subnets Antony Stone
@ 2002-09-23 6:23 ` Anders Fugmann
1 sibling, 0 replies; 3+ messages in thread
From: Anders Fugmann @ 2002-09-23 6:23 UTC (permalink / raw)
To: Jared Brick; +Cc: netfilter
Jared Brick wrote:
> Hello everybody,
>
> However the other gateway is a Linux box with two IP addresses (it only
> acts as a gateway for two of the subnets) using Iptables.
I'm not sure of your setup. Do you have one network interface per ip, or
two ip's for the same interface?
> The gateway
> itself has static routes so that it can route between the different
> subnets, including the subnet for which it has no IP address. My
> question in which chain will a packet traverse when it is traveling
> between two different internal subnets. I think it is the FORWARD chain
> but my colleague feels it would be the OUTPUT chain. I ask because I am
> having trouble routing between the internal networks.
If you hare only using one network interface, then you will have
troubles routing between the two subnets. Please see the recent thread
in which this was discussed:
"Internal ip exiting network on firewall external nic despight rule"
(http://lists.netfilter.org/pipermail/netfilter/2002-September/038510.html)
> If anyone has any experience with a similar set up, any help would be
> much appreciated.
It seems to me that you do not need netfilter at all, as netfilter does
not route packets. I recommend that you setup your linux router and make
it work without netfilter. Then, if you want to restrict communication
between the subnets, use netfilter.
Hope it helps.
Anders Fugmann
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-09-23 6:23 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1032724445.1352.22.camel@neo.matrix.ca.>
2002-09-23 1:22 ` Chain traversal with multiple internal IP subnets Antony Stone
2002-09-23 6:23 ` Anders Fugmann
2002-09-22 19:54 Jared Brick
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.