From mboxrd@z Thu Jan  1 00:00:00 1970
From: urgrue <urgrue@bulbous.org>
Subject: Re: a little help on iptables
Date: Thu, 07 Sep 2006 19:24:30 +0300
Message-ID: <450047BE.9090502@bulbous.org>
References: <200609071640.33138.fluca1978@infinito.it>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Return-path: <linux-admin-owner@vger.kernel.org>
In-Reply-To: <200609071640.33138.fluca1978@infinito.it>
Sender: linux-admin-owner@vger.kernel.org
List-Id: <linux-admin.vger.kernel.org>
Content-Type: text/plain; charset="us-ascii"
To: Luca Ferrari <fluca1978@infinito.it>
Cc: linux-admin <linux-admin@vger.kernel.org>

Its a little hard to understand what you want exactly. Why do you want
to keep both internet connections? Is it not possible to forward a port
from the new gateway to your firewall? Why must your firewall use a
different internet connection (ie why cant you connect the new
connection directly to your firewall)?

If you _really_ must have:
-LAN traffic use your firewall as the default gateway, which then
forwards the traffic to the new router
-Firewall use the old router for its own internet
Then your only option that I can think of is to use policy routing.
Basically on your firewall do something like:
ip rule add from x.x.x.x/z table 100
ip rule add to x.x.x.x/z table 100
ip route add x.x.x.x/z via i.i.i.i table 100
ip route add default via z.z.z.z table 100
Where:
x.x.x.x/z = your LAN
i.i.i.i = your firewall's LAN IP
z.z.z.z = your new router in the LAN

But your situation must be somewhat unusual if you really need to do this.

urgrue

Luca Ferrari wrote:
> Hi all,
> this is the situation: I've got a firewall double-homed, with a NIC assigned 
> to a public IP and the other to the LAN network. Until now I've used the 
> external NIC as default gateway, since my router has a public address too. 
> Now I'd like to use another router on the lan as default, leaving untouched 
> the external interface (since the firewall must be accessible from the 
> outside world). So I've changed the default gw to the lan one, and it works, 
> but I get the external ip unreachable, and I think it's because it does not 
> know the gateway interface. So, how can I specify for the external interface 
> the gateway to use? If I try to do it thru the route command it replies sayng 
> that the network is unreachable. Any help?
> Thanks,
> Luca
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html