Re: [LARTC] Network configuration

From: Michael Davidson <michael@bbd.co.za>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Network configuration
Date: Mon, 16 Jan 2006 10:39:10 +0000	[thread overview]
Message-ID: <43CB77CE.6010104@bbd.co.za> (raw)
In-Reply-To: <000301c61a02$9f6f3500$6402a8c0@sannpjl>

Hi,
    There is an "anti-spoofing" issue that you haven't mentioned and may 
well have to contend with. Some Linux distro's, certainly Redhat, when 
installed with default settings will engage the anti-spoofing mechnism. 
This prevents any interface from being used as a default route other 
than the one declared in the routing table called "main".

You need to "echo 0 > /proc/sys/net/ipv4/conf/eth3/rp_filter" to turn 
off the anti-spoofing for that interface.

Using iptables you can manually put back some of the anti-spoofing 
mechanism. See "Rusty Russell's unreliable guide to iptables"

Regards Mike.

Paul Lewis wrote:

>Hi,
>
>Apologies for the cross-posting; I'm not sure whether this is a firewall or
>routing issue, or both!
>
>I have four network cards, detailed below. eth0 and eth3 connect to my ISPs,
>and eth1 and eth2 connect to local networks. I want to route all traffic
>from eth2 to eth0, and from eth1 to eth3. However, I am having a few
>problems with this.
>
>eth0
>ip: 192.168.100.253/24
>gw: 192.168.100.254 (ISP)
>
>eth1
>ip: 192.168.3.253/22
>gw: 192.168.20.253 (eth3)
>
>eth2
>ip: 192.168.7.253/22
>gw: 192.168.100.253 (eth0)
>
>eth3
>ip: 192.168.20.253/24
>gw: 192.168.20.254 (ISP)
>
>I have tried setting up routing using these commands:
>
>echo "ISP_1" >> /etc/iproute2/rt_tables
>echo "ISP_2" >> /etc/iproute2/rt_tables
>
>ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
>ip route add default via 192.168.100.253 table ISP_1
>ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
>ip route add default via 192.168.20.253 table ISP_2
>
>ip rule add from 192.168.7.253 table ISP_1
>ip rule add from 192.168.3.253 table ISP_2
>
>However, this yielded no success. I have also tried a simple iptables
>forwarding configuration (without the routing config above):
>
>iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
>iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
>iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
>iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT
>
># default policy
>iptables -P FORWARD DROP
>
>Again, with no success. I do have a reasonably complex firewall in place,
>but no other rules in the FORWARD section of the firewall. I have a number
>of open ports under INPUT for other services the machine provides, and
>nothing under OUTPUT.
>
>In the NAT section, I have no rules in OUTPUT, a couple of MASQUERADING
>rules under POSTROUTING, and hundreds of rules under PREROUTING (accepting
>or denying machines based on their MAC).
>
>I've had a few thoughts on this; do I need to have four default gateways
>configured; one for each network card? And do I need more (or any)
>forwarding rules in the firewall?
>
>I've been struggling with this problem for some time now, and it's really
>starting to annoy me. I would really appreciate any feedback people could
>send me.
>
>Many thanks,
>
>Paul
>
>---
>Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
>Part II Student
>Department Of Materials
>University Of Oxford
>
>
>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>  
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc