* Is this at all possible
@ 2004-12-02 12:05 Steve Comfort
2004-12-02 13:06 ` Alexis
2004-12-03 7:42 ` Recent Match Questions SiegeX
0 siblings, 2 replies; 5+ messages in thread
From: Steve Comfort @ 2004-12-02 12:05 UTC (permalink / raw)
To: netfilter
Hi all,
I'm 99% sure that the answer to this one is no, but a customer asked :)
They have two buildings with networks running on the same (192.168.2.x)
subnet.
Is it possible to configure a (wireless) router that would be capable of
routing between these identical sub-nets. Somehow, maybe restricting one
half to addresses below 127 and getting cunning with the netmask?
Don't ask why they don't want to change to different subnets!
A resounding lack of response will be sufficient confirmation for me
that this is a silly scenario.
Ciao
Steve Comfort
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Is this at all possible
2004-12-02 12:05 Is this at all possible Steve Comfort
@ 2004-12-02 13:06 ` Alexis
2004-12-03 7:42 ` Recent Match Questions SiegeX
1 sibling, 0 replies; 5+ messages in thread
From: Alexis @ 2004-12-02 13:06 UTC (permalink / raw)
To: 'Steve Comfort', netfilter
Double nat is the solution for this issue.
http://www.netfilter.org/documentation/HOWTO//netfilter-double-nat-HOWTO.htm
l
> -----Mensaje original-----
> De: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] En nombre de
> Steve Comfort
> Enviado el: Jueves, 02 de Diciembre de 2004 9:06
> Para: netfilter@lists.netfilter.org
> Asunto: Is this at all possible
>
> Hi all,
>
> I'm 99% sure that the answer to this one is no, but a
> customer asked :)
>
> They have two buildings with networks running on the same
> (192.168.2.x) subnet.
>
> Is it possible to configure a (wireless) router that would be
> capable of routing between these identical sub-nets. Somehow,
> maybe restricting one half to addresses below 127 and getting
> cunning with the netmask?
>
> Don't ask why they don't want to change to different subnets!
>
> A resounding lack of response will be sufficient confirmation
> for me that this is a silly scenario.
>
> Ciao
> Steve Comfort
>
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Is this at all possible
@ 2004-12-02 14:52 ads nat
0 siblings, 0 replies; 5+ messages in thread
From: ads nat @ 2004-12-02 14:52 UTC (permalink / raw)
To: Alexis, 'Steve Comfort', netfilter
I am facing similar problem.
I have two Gateways getting Internet bandwidth from
two different sources.
Server no. 1 will disctribute bandwidth by natting to
IP address 192.168.0.2-192.168.0.150 of subnet.
eth0 - xxx.xxx.xxx.xxx
eth1 192.168.0.1
GATEWAY setting for subnet client's will be
192.168.0.1
Server No. 2 will supply bandwidth to same subnet but
it will be with squid proxy server authentication and
DHCL running. In DHCP configuration I will configure
IP's 192.168.0.151-192.168.0.200
eth0 - xxx.xxx.xxx.xxx
eth1 - 192.168.0.254
GATEWAY setting for these IP client's will
192.168.0.254
I think It should be possible. I don't have
infrastructure to check this in the lab therefore
question.
Thanks for support.
--- Alexis <alexis@tpys.com.ar> wrote:
> Double nat is the solution for this issue.
>
>
http://www.netfilter.org/documentation/HOWTO//netfilter-double-nat-HOWTO.htm
> l
>
>
>
> > -----Mensaje original-----
> > De: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] En
> nombre de
> > Steve Comfort
> > Enviado el: Jueves, 02 de Diciembre de 2004 9:06
> > Para: netfilter@lists.netfilter.org
> > Asunto: Is this at all possible
> >
> > Hi all,
> >
> > I'm 99% sure that the answer to this one is no,
> but a
> > customer asked :)
> >
> > They have two buildings with networks running on
> the same
> > (192.168.2.x) subnet.
> >
> > Is it possible to configure a (wireless) router
> that would be
> > capable of routing between these identical
> sub-nets. Somehow,
> > maybe restricting one half to addresses below 127
> and getting
> > cunning with the netmask?
> >
> > Don't ask why they don't want to change to
> different subnets!
> >
> > A resounding lack of response will be sufficient
> confirmation
> > for me that this is a silly scenario.
> >
> > Ciao
> > Steve Comfort
> >
> >
> >
> >
>
>
>
__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Is this at all possible
@ 2004-12-02 18:11 Daniel Chemko
0 siblings, 0 replies; 5+ messages in thread
From: Daniel Chemko @ 2004-12-02 18:11 UTC (permalink / raw)
To: Steve Comfort, netfilter
Steve Comfort wrote:
> Hi all,
>
> I'm 99% sure that the answer to this one is no, but a customer asked
> :)
Linksys routers have Linux installed. With custom firmware, you can
perform Bridged network solutions. This means passing data from one
network to the next almost transparently.
Normal bridged network setup
Network A -> Bridge -> Network B
Wireless bridged setup
Network A -> Wlan1 -> (air) -> Wlan2 -> Network B
You'll need to support ProxyARP and enable the bridged mode on the
router. I believe www.sveasoft.com has the support needed. It has
bridged at least.
I have never setup this exact configuration, so I may be missing
something. PS: the 'Internet' port should not be plugged in or have a
valid network. Ideally you're delegating the default route to someone
else.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Recent Match Questions
2004-12-02 12:05 Is this at all possible Steve Comfort
2004-12-02 13:06 ` Alexis
@ 2004-12-03 7:42 ` SiegeX
1 sibling, 0 replies; 5+ messages in thread
From: SiegeX @ 2004-12-03 7:42 UTC (permalink / raw)
To: netfilter
The following is an excerpt from the recent match help:
recent v1.2.11 options:
[!] --set Add source address to list, always matches.
[!] --update Match if source address in list, also update
last-seen time.
[!] --remove Match if source address in list, also
removes that address from list.
My question to you guys is I dont see the point of negating these rules.
For example. Since --set always matches, ! --set NEVER matches, so whats the
point? Similarly ! --update matches if name is not in list and then updates
the name that is not in the list? And also ! --remove matches a name not in
the list and then attempts to remove it? Perhaps im not reading it right, I
must be because the way im understanding it just doesnt make any sense.
Also, it would be nice if an option called --hittimer was added that will
automatically reset the hitcounts after X number of mintues. For example
iptables -A INPUT -p tcp --dport $BAD_PORT -m recent --set
iptables -A INPUT -p tcp --dport $BAD_PORT -m recent --rcheck --hitcount
10 --hittimer 1440 -j DROP
In this ficticous example, after a certain attacker has attempted to connect
to $BAD_PORT 10 or more times, any further packets to this port will be
dropped. However after 1440mins (24 hours) his --hitcount will be cleared
back to 0, allowing him to send up to 10 more packets. I see no other way
doing this with the current fuctionality of the recent match without having
to resort to flushing the actual rule and reissuing it which is not a very
clean way of doing things.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-12-03 7:42 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-12-02 12:05 Is this at all possible Steve Comfort
2004-12-02 13:06 ` Alexis
2004-12-03 7:42 ` Recent Match Questions SiegeX
-- strict thread matches above, loose matches on Subject: below --
2004-12-02 14:52 Is this at all possible ads nat
2004-12-02 18:11 Daniel Chemko
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.