RE: [LARTC] 2 NICs Bridge + Router (working debian)

* RE: [LARTC] 2 NICs Bridge + Router (working debian)
@ 2007-06-04 18:26 William Bohannan
  2007-06-04 18:38 ` Grant Taylor
  0 siblings, 1 reply; 2+ messages in thread
From: William Bohannan @ 2007-06-04 18:26 UTC (permalink / raw)
  To: lartc

Thank you so much been wanting to do this for ages, finally got it
working (had to remove the gw) :)

### /etc/network/interfaces 
#
auto lo
iface lo inet loopback

auto br0
iface br0 inet static
address 193.xxx.xxx.77
netmask 255.255.255.128
network 193.xxx.xxx.0
broadcast 193.xxx.xxx.127

pre-up /sbin/ip link set eth0 up
pre-up /sbin/ip link set eth1 up
pre-up /usr/sbin/brctl addbr br0
pre-up /usr/sbin/brctl addif br0 eth0
pre-up /usr/sbin/brctl addif br0 eth1

### /etc/init.d/brouter.sh
#
echo "Bringing up NAT"
ip addr add 192.168.2.101/24 dev br0
iptables -t nat -A POSTROUTING -o br0 -d ! 192.168.2.0/24 -j MASQUERADE
#enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
route add default gw 193.xxx.xxx.126

Kind Regards
William Bohannan

-----Original Message-----
From: lartc-bounces@mailman.ds9a.nl
[mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Grant Taylor
Sent: Monday, June 04, 2007 4:53 PM
To: Mail List - Linux Advanced Routing and Traffic Control
Subject: Re: [LARTC] 2 NICs Bridge + Router

On 06/04/07 11:28, William Bohannan wrote:
> Works well except I cannot for the life of me get NAT working.  I have
> the following setup:

Good.

> ### Network Interface script
> # /etc/init.d/network/interfaces
> auto lo
> iface lo inet loopback
> 
> auto br0
> iface br0 inet static
> address 193.xxx.xxx.77
> netmask 255.255.255.128
> network 193.xxx.xxx.0
> broadcast 193.xxx.xxx.127
> gateway 193.xxx.xxx.126
> 
> pre-up /sbin/ip link set eth0 up
> pre-up /sbin/ip link set eth1 up
> pre-up /usr/sbin/brctl addbr br0
> pre-up /usr/sbin/brctl addif br0 eth0
> pre-up /usr/sbin/brctl addif br0 eth1

What would happen if you added  additional address, netmask, network, 
broadcast, and gateway lines?  Would that allow you to have aliases 
defined in this manner, or would it simply over ride the existing
settings?

> ### Simple script to start at boot
> # /etc/init.d/brouter.init
> echo "Bringing up NAT"
> ip addr add 10.10.1.254/24 dev br0
> iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
> route add -net -n 0.0.0.0 dev br0
> #enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward

Hum, this looks like you will be MASQUERADEing any and all traffic that 
leaves br0.  I'm betting that you are MASQUERADEing some traffic that 
you do not want to MASQUERADE.

> Please advise.

You need to selectively MASQUERADE traffic that is leaving your br0 
interface.  I.e. MASQUERADE any traffic that is leaving your network 
headed to the world.

You can accomplish this a couple of different ways (possibly more).

1)  MASQUERADE any traffic that is not destined to your internal 
network.  In other words MASQUERADE any traffic that is leaving your 
network.  I.e.

iptables -t nat -A POSTROUTING -o br0 -d ! 10.10.1.0/24 -j MASQUERADE

(If I have that IPTables syntax correct.  You get the idea.)

2)  MASQUERADE any traffic that is leaving the physical interface that 
is facing the internet via the physdev IPTables match extension. 
(Sorry, I have no experience with this option.)

Personally, I would try to do it based on destination IP address rather 
than physical interface for various reasons that are not really 
pertinent here.

Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 2+ messages in thread