* [LARTC] Network configuration
@ 2006-01-15 18:36 ` Paul Lewis
0 siblings, 0 replies; 5+ messages in thread
From: Paul Lewis @ 2006-01-15 18:36 UTC (permalink / raw)
To: lartc, netfilter
Hi,
Apologies for the cross-posting; I'm not sure whether this is a firewall or
routing issue, or both!
I have four network cards, detailed below. eth0 and eth3 connect to my ISPs,
and eth1 and eth2 connect to local networks. I want to route all traffic
from eth2 to eth0, and from eth1 to eth3. However, I am having a few
problems with this.
eth0
ip: 192.168.100.253/24
gw: 192.168.100.254 (ISP)
eth1
ip: 192.168.3.253/22
gw: 192.168.20.253 (eth3)
eth2
ip: 192.168.7.253/22
gw: 192.168.100.253 (eth0)
eth3
ip: 192.168.20.253/24
gw: 192.168.20.254 (ISP)
I have tried setting up routing using these commands:
echo "ISP_1" >> /etc/iproute2/rt_tables
echo "ISP_2" >> /etc/iproute2/rt_tables
ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
ip route add default via 192.168.100.253 table ISP_1
ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
ip route add default via 192.168.20.253 table ISP_2
ip rule add from 192.168.7.253 table ISP_1
ip rule add from 192.168.3.253 table ISP_2
However, this yielded no success. I have also tried a simple iptables
forwarding configuration (without the routing config above):
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT
# default policy
iptables -P FORWARD DROP
Again, with no success. I do have a reasonably complex firewall in place,
but no other rules in the FORWARD section of the firewall. I have a number
of open ports under INPUT for other services the machine provides, and
nothing under OUTPUT.
In the NAT section, I have no rules in OUTPUT, a couple of MASQUERADING
rules under POSTROUTING, and hundreds of rules under PREROUTING (accepting
or denying machines based on their MAC).
I've had a few thoughts on this; do I need to have four default gateways
configured; one for each network card? And do I need more (or any)
forwarding rules in the firewall?
I've been struggling with this problem for some time now, and it's really
starting to annoy me. I would really appreciate any feedback people could
send me.
Many thanks,
Paul
---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
Part II Student
Department Of Materials
University Of Oxford
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
* Network configuration
@ 2006-01-15 18:36 ` Paul Lewis
0 siblings, 0 replies; 5+ messages in thread
From: Paul Lewis @ 2006-01-15 18:36 UTC (permalink / raw)
To: lartc, netfilter
Hi,
Apologies for the cross-posting; I'm not sure whether this is a firewall or
routing issue, or both!
I have four network cards, detailed below. eth0 and eth3 connect to my ISPs,
and eth1 and eth2 connect to local networks. I want to route all traffic
from eth2 to eth0, and from eth1 to eth3. However, I am having a few
problems with this.
eth0
ip: 192.168.100.253/24
gw: 192.168.100.254 (ISP)
eth1
ip: 192.168.3.253/22
gw: 192.168.20.253 (eth3)
eth2
ip: 192.168.7.253/22
gw: 192.168.100.253 (eth0)
eth3
ip: 192.168.20.253/24
gw: 192.168.20.254 (ISP)
I have tried setting up routing using these commands:
echo "ISP_1" >> /etc/iproute2/rt_tables
echo "ISP_2" >> /etc/iproute2/rt_tables
ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
ip route add default via 192.168.100.253 table ISP_1
ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
ip route add default via 192.168.20.253 table ISP_2
ip rule add from 192.168.7.253 table ISP_1
ip rule add from 192.168.3.253 table ISP_2
However, this yielded no success. I have also tried a simple iptables
forwarding configuration (without the routing config above):
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT
# default policy
iptables -P FORWARD DROP
Again, with no success. I do have a reasonably complex firewall in place,
but no other rules in the FORWARD section of the firewall. I have a number
of open ports under INPUT for other services the machine provides, and
nothing under OUTPUT.
In the NAT section, I have no rules in OUTPUT, a couple of MASQUERADING
rules under POSTROUTING, and hundreds of rules under PREROUTING (accepting
or denying machines based on their MAC).
I've had a few thoughts on this; do I need to have four default gateways
configured; one for each network card? And do I need more (or any)
forwarding rules in the firewall?
I've been struggling with this problem for some time now, and it's really
starting to annoy me. I would really appreciate any feedback people could
send me.
Many thanks,
Paul
---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
Part II Student
Department Of Materials
University Of Oxford
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Network configuration
2006-01-15 18:36 ` Paul Lewis
(?)
@ 2006-01-15 19:02 ` Rob Sterenborg
2006-01-15 19:08 ` Paul Lewis
-1 siblings, 1 reply; 5+ messages in thread
From: Rob Sterenborg @ 2006-01-15 19:02 UTC (permalink / raw)
To: netfilter
> I have tried setting up routing using these commands:
>
> echo "ISP_1" >> /etc/iproute2/rt_tables
> echo "ISP_2" >> /etc/iproute2/rt_tables
>
> ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
> ip route add default via 192.168.100.253 table ISP_1
> ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
> ip route add default via 192.168.20.253 table ISP_2
>
> ip rule add from 192.168.7.253 table ISP_1
> ip rule add from 192.168.3.253 table ISP_2
>
> However, this yielded no success. I have also tried a simple iptables
> forwarding configuration (without the routing config above):
>
> iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
> iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
> iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT
>
> # default policy
> iptables -P FORWARD DROP
Not looking at your routing rules ; did you also do :
echo 1 > /proc/sys/net/ipv4/ip_forward
Gr,
Rob
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: Network configuration
2006-01-15 19:02 ` Rob Sterenborg
@ 2006-01-15 19:08 ` Paul Lewis
0 siblings, 0 replies; 5+ messages in thread
From: Paul Lewis @ 2006-01-15 19:08 UTC (permalink / raw)
To: 'Rob Sterenborg', netfilter
Hi,
Sorry, I forgot to mention that. Yes, the "echo 1 >
/proc/sys/net/ipv4/ip_forward" has been set to run in rc.local script on
every boot.
Cheers,
Paul
---
Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
Part II Student
Department Of Materials
University Of Oxford
-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Rob Sterenborg
Sent: 15 January 2006 19:03
To: netfilter@lists.netfilter.org
Subject: RE: Network configuration
> I have tried setting up routing using these commands:
>
> echo "ISP_1" >> /etc/iproute2/rt_tables
> echo "ISP_2" >> /etc/iproute2/rt_tables
>
> ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
> ip route add default via 192.168.100.253 table ISP_1
> ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
> ip route add default via 192.168.20.253 table ISP_2
>
> ip rule add from 192.168.7.253 table ISP_1
> ip rule add from 192.168.3.253 table ISP_2
>
> However, this yielded no success. I have also tried a simple iptables
> forwarding configuration (without the routing config above):
>
> iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
> iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
> iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
> iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT
>
> # default policy
> iptables -P FORWARD DROP
Not looking at your routing rules ; did you also do :
echo 1 > /proc/sys/net/ipv4/ip_forward
Gr,
Rob
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [LARTC] Network configuration
2006-01-15 18:36 ` Paul Lewis
(?)
(?)
@ 2006-01-16 10:39 ` Michael Davidson
-1 siblings, 0 replies; 5+ messages in thread
From: Michael Davidson @ 2006-01-16 10:39 UTC (permalink / raw)
To: lartc
Hi,
There is an "anti-spoofing" issue that you haven't mentioned and may
well have to contend with. Some Linux distro's, certainly Redhat, when
installed with default settings will engage the anti-spoofing mechnism.
This prevents any interface from being used as a default route other
than the one declared in the routing table called "main".
You need to "echo 0 > /proc/sys/net/ipv4/conf/eth3/rp_filter" to turn
off the anti-spoofing for that interface.
Using iptables you can manually put back some of the anti-spoofing
mechanism. See "Rusty Russell's unreliable guide to iptables"
Regards Mike.
Paul Lewis wrote:
>Hi,
>
>Apologies for the cross-posting; I'm not sure whether this is a firewall or
>routing issue, or both!
>
>I have four network cards, detailed below. eth0 and eth3 connect to my ISPs,
>and eth1 and eth2 connect to local networks. I want to route all traffic
>from eth2 to eth0, and from eth1 to eth3. However, I am having a few
>problems with this.
>
>eth0
>ip: 192.168.100.253/24
>gw: 192.168.100.254 (ISP)
>
>eth1
>ip: 192.168.3.253/22
>gw: 192.168.20.253 (eth3)
>
>eth2
>ip: 192.168.7.253/22
>gw: 192.168.100.253 (eth0)
>
>eth3
>ip: 192.168.20.253/24
>gw: 192.168.20.254 (ISP)
>
>I have tried setting up routing using these commands:
>
>echo "ISP_1" >> /etc/iproute2/rt_tables
>echo "ISP_2" >> /etc/iproute2/rt_tables
>
>ip route add 192.168.4.0/22 dev eth2 src 192.168.7.253 table ISP_1
>ip route add default via 192.168.100.253 table ISP_1
>ip route add 192.168.0.0/22 dev eth1 src 192.168.3.253 table ISP_2
>ip route add default via 192.168.20.253 table ISP_2
>
>ip rule add from 192.168.7.253 table ISP_1
>ip rule add from 192.168.3.253 table ISP_2
>
>However, this yielded no success. I have also tried a simple iptables
>forwarding configuration (without the routing config above):
>
>iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
>iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
>iptables -A FORWARD -i eth1 -o eth3 -j ACCEPT
>iptables -A FORWARD -i eth3 -o eth1 -j ACCEPT
>
># default policy
>iptables -P FORWARD DROP
>
>Again, with no success. I do have a reasonably complex firewall in place,
>but no other rules in the FORWARD section of the firewall. I have a number
>of open ports under INPUT for other services the machine provides, and
>nothing under OUTPUT.
>
>In the NAT section, I have no rules in OUTPUT, a couple of MASQUERADING
>rules under POSTROUTING, and hundreds of rules under PREROUTING (accepting
>or denying machines based on their MAC).
>
>I've had a few thoughts on this; do I need to have four default gateways
>configured; one for each network card? And do I need more (or any)
>forwarding rules in the firewall?
>
>I've been struggling with this problem for some time now, and it's really
>starting to annoy me. I would really appreciate any feedback people could
>send me.
>
>Many thanks,
>
>Paul
>
>---
>Paul Lewis (paul.lewis@st-annes.ox.ac.uk)
>Part II Student
>Department Of Materials
>University Of Oxford
>
>
>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2006-01-16 10:39 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-01-15 18:36 [LARTC] Network configuration Paul Lewis
2006-01-15 18:36 ` Paul Lewis
2006-01-15 19:02 ` Rob Sterenborg
2006-01-15 19:08 ` Paul Lewis
2006-01-16 10:39 ` [LARTC] " Michael Davidson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.