From: Grant Taylor <gtaylor@riverviewtech.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] 2 NICs Bridge + Router
Date: Mon, 04 Jun 2007 16:53:14 +0000 [thread overview]
Message-ID: <4664437A.9040601@riverviewtech.net> (raw)
In-Reply-To: <4D411FB02758FE45915E9724339093F62E4DE2@intranet.scpl.local>
On 06/04/07 11:28, William Bohannan wrote:
> Works well except I cannot for the life of me get NAT working. I have
> the following setup:
Good.
> ### Network Interface script
> # /etc/init.d/network/interfaces
> auto lo
> iface lo inet loopback
>
> auto br0
> iface br0 inet static
> address 193.xxx.xxx.77
> netmask 255.255.255.128
> network 193.xxx.xxx.0
> broadcast 193.xxx.xxx.127
> gateway 193.xxx.xxx.126
>
> pre-up /sbin/ip link set eth0 up
> pre-up /sbin/ip link set eth1 up
> pre-up /usr/sbin/brctl addbr br0
> pre-up /usr/sbin/brctl addif br0 eth0
> pre-up /usr/sbin/brctl addif br0 eth1
What would happen if you added additional address, netmask, network,
broadcast, and gateway lines? Would that allow you to have aliases
defined in this manner, or would it simply over ride the existing settings?
> ### Simple script to start at boot
> # /etc/init.d/brouter.init
> echo "Bringing up NAT"
> ip addr add 10.10.1.254/24 dev br0
> iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
> route add -net -n 0.0.0.0 dev br0
> #enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
Hum, this looks like you will be MASQUERADEing any and all traffic that
leaves br0. I'm betting that you are MASQUERADEing some traffic that
you do not want to MASQUERADE.
> Please advise.
You need to selectively MASQUERADE traffic that is leaving your br0
interface. I.e. MASQUERADE any traffic that is leaving your network
headed to the world.
You can accomplish this a couple of different ways (possibly more).
1) MASQUERADE any traffic that is not destined to your internal
network. In other words MASQUERADE any traffic that is leaving your
network. I.e.
iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE
(If I have that IPTables syntax correct. You get the idea.)
2) MASQUERADE any traffic that is leaving the physical interface that
is facing the internet via the physdev IPTables match extension.
(Sorry, I have no experience with this option.)
Personally, I would try to do it based on destination IP address rather
than physical interface for various reasons that are not really
pertinent here.
Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
next prev parent reply other threads:[~2007-06-04 16:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-28 13:12 [LARTC] 2 NICs Bridge + Router William Bohannan
2007-05-28 18:39 ` Grant Taylor
2007-05-31 12:22 ` William Bohannan
2007-05-31 14:36 ` Grant Taylor
2007-06-04 9:46 ` William Bohannan
2007-06-04 16:28 ` William Bohannan
2007-06-04 16:53 ` Grant Taylor [this message]
2007-06-04 17:25 ` William Bohannan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4664437A.9040601@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.