From: netfilter@buglecreek.com
To: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Cc: netfilter@vger.kernel.org
Subject: Re: FORWARD chain and Interfaces
Date: Sat, 21 May 2011 16:31:17 -0600 [thread overview]
Message-ID: <1306017077.11298.1454526649@webmail.messagingengine.com> (raw)
In-Reply-To: <4DD83726.5090604@plouf.fr.eu.org>
On Sun, 22 May 2011 00:05 +0200, "Pascal Hambourg"
<pascal.mail@plouf.fr.eu.org> wrote:
> netfilter@buglecreek.com a écrit :
> > On Sat, 21 May 2011 22:51 +0200, "Pascal Hambourg"
> >>
> >> How are the virtual machine network interfaces connected together ?
> >> Did you create two separate virtual links ?
> >> One explanation could be that all interfaces are connected to the same
> >> virtual link, so traffic coming to the router could arrive at any of its
> >> two interfaces.
> >
> > That's an interesting idea. I'm not sure how Parallels sets up the
> > interfaces.
>
> How then do you know which interface of the router is connected to which
> network ?
I'm basing the router connections to the various networks by the IP
addresses and network Addresses. When I say I don't know how Parallels
sets up the interfaces I mean I do not know the underling code that they
use. Using standard tools (ifconfig, route, traceroute etc) all seems
normal.
Sending a broadcast packet (good idea) from network B I see the packet
show up at network A machine and on both interfaces of the firewall. I
even see the packets show up on network A when the firewall/router is
turned off. Both Net A and Net B are assigned IPs on two entirely
different networks. Obviously, this is not the expected behavior. I
assumed that when I created two virtual machines and assigned them
entirely different IPs on different networks they would be isolated from
each other and not be able to see traffic (broadcasts etc) from the
other net. I will have to look at how the virtual machines are setup,
maybe there is something I missed. It clearly does not function as I
expected. My hope was to simulate real life different nets connected by
the firewall/router.
>
> A quick test could be to send broadcast packets from A then B while
> listening on all interfaces of the other machines with tcpdump or the
> like. If you can see the broadcast packets on all interfaces then they
> all are on the same network.
>
> > Right now I'm writing the FORWARD rules assuming that when the real
> > hardware is in place it will function as I expect. I'm using -i eth0
> > and -o eth1 for new traffic originating from Network A going to B and
> > -i eth1 and -o eth0 for new traffic originating from Network B to A.
> > Based on my original diagram below. Does that sound reasonable?
>
> Sure.
>
next prev parent reply other threads:[~2011-05-21 22:31 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-21 6:10 FORWARD chain and Interfaces netfilter
2011-05-21 7:37 ` Andrew Beverley
2011-05-21 11:23 ` Pascal Hambourg
2011-05-21 19:49 ` netfilter
2011-05-21 20:51 ` Pascal Hambourg
2011-05-21 21:40 ` netfilter
2011-05-21 22:05 ` Pascal Hambourg
2011-05-21 22:31 ` netfilter [this message]
2011-05-22 8:48 ` Pascal Hambourg
2011-05-22 19:06 ` netfilter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1306017077.11298.1454526649@webmail.messagingengine.com \
--to=netfilter@buglecreek.com \
--cc=netfilter@vger.kernel.org \
--cc=pascal.mail@plouf.fr.eu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox