conf scenario.

conf scenario.

[Krystian]

hello

i need some help on how to configure this scenario in iptables:

[adsl modem/router]-----[eth1-linux box-eth0]-----[network]

the problem is that the box has to work as a forward/masqurade for most 
users, but it must also bridge traffic from couple hosts inside the 
network which have public IP addresses.

question: how to configure "linux box's" iptables to forward and 
masquarade traffic from most users and bridge traffic for couple 
"public" users.

the way i figured it out is to DNAT all trafic for public ip's to our 
network public hosts. is there other better way?

Re: conf scenario.

[Antony Stone]

On Monday 03 May 2004 9:42 pm, Krystian wrote:

> hello
>
> i need some help on how to configure this scenario in iptables:
>
> [adsl modem/router]-----[eth1-linux box-eth0]-----[network]
>
> the problem is that the box has to work as a forward/masqurade for most
> users, but it must also bridge traffic from couple hosts inside the
> network which have public IP addresses.
>
> question: how to configure "linux box's" iptables to forward and
> masquarade traffic from most users and bridge traffic for couple
> "public" users.

Add a third interface card eth2, bridge eth1 and eth2 as br0, and then route 
between br0 and eth0.

If you have hosts on your network which need public IPs then they have to be 
on a separate subnet from your normal clients anyway.

Regards,

Antony.

-- 
In science, one tries to tell people
in such a way as to be understood by everyone
something that no-one ever knew before.

In poetry, it is the exact opposite.

 - Paul Dirac

                                                     Please reply to the list;
                                                           please don't CC me.

Re: conf scenario.

[Jon Colverson]

Antony Stone wrote:
> On Monday 03 May 2004 9:42 pm, Krystian wrote:
>>i need some help on how to configure this scenario in iptables:
>>
>>[adsl modem/router]-----[eth1-linux box-eth0]-----[network]
>>
>>question: how to configure "linux box's" iptables to forward and
>>masquarade traffic from most users and bridge traffic for couple
>>"public" users.

I don't believe that any iptables configuration is necessary for the 
machines with public IPs. The Linux box will need a public IP on the 
same subnet as them and will need to have IP forwarding turned on (echo 
1 > /proc/sys/net/ipv4/ip_forward). The boxes with public IPs will need 
to have the Linux box as their default gateway and it should all just work.

If you can't spare a public IP for the Linux box, can you just connect 
the ADSL modem/router, the Linux box, and the clients all to the same 
Ethernet? This is the setup I use. In that case the clients with public 
IPs would be able to see the ADSL modem/router directly (and would 
simply use that as their default gateway).

> Add a third interface card eth2, bridge eth1 and eth2 as br0, and then route 
> between br0 and eth0.
> 
> If you have hosts on your network which need public IPs then they have to be 
> on a separate subnet from your normal clients anyway.

I don't think this is necessary. The public IP clients are obviously on 
a different IP subnet, but they can happily share the Ethernet with the 
NATed clients.

-- 
Jon

Re: conf scenario.

[Antony Stone]

On Monday 03 May 2004 11:01 pm, Jon Colverson wrote:

> Antony Stone wrote:
> > On Monday 03 May 2004 9:42 pm, Krystian wrote:
> >>i need some help on how to configure this scenario in iptables:
> >>
> >>[adsl modem/router]-----[eth1-linux box-eth0]-----[network]
> >>
> >>question: how to configure "linux box's" iptables to forward and
> >>masquarade traffic from most users and bridge traffic for couple
> >>"public" users.
>
> I don't believe that any iptables configuration is necessary for the
> machines with public IPs. The Linux box will need a public IP on the
> same subnet as them and will need to have IP forwarding turned on (echo
> 1 > /proc/sys/net/ipv4/ip_forward). The boxes with public IPs will need
> to have the Linux box as their default gateway and it should all just work.

This does require a bit of fiddling about with the routing tables to make sure 
the gateway machine knows which interface to find various public IPs on.   
However, it can be done with the right netmasks.

> If you can't spare a public IP for the Linux box, can you just connect
> the ADSL modem/router, the Linux box, and the clients all to the same
> Ethernet? This is the setup I use. In that case the clients with public
> IPs would be able to see the ADSL modem/router directly (and would
> simply use that as their default gateway).

The problem with that is that you are then exposing the public IP servers 
directly to the Internet without the benefit of the firewall :(

> > Add a third interface card eth2, bridge eth1 and eth2 as br0, and then
> > route between br0 and eth0.
> >
> > If you have hosts on your network which need public IPs then they have to
> > be on a separate subnet from your normal clients anyway.
>
> I don't think this is necessary. The public IP clients are obviously on
> a different IP subnet, but they can happily share the Ethernet with the
> NATed clients.

Ugh :)   I object to the use of the word "happily".   It'll work, sure, but 
it's not a nice networking setup (ie: don't blame me when there's a problem 
and debugging turns up some crazy results...)

Besides, what happened to the security model where you make sure that any 
publicly-accessibly server which happens to get compromised can't do any 
damage to your internal network?

Regards,

Antony.

-- 
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work 
for you.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: conf scenario.

[Krystian]

thx :)