Linux Netfilter discussions
 help / color / mirror / Atom feed
* Help needed for a box with 4 Ethernet Interfaces
@ 2005-08-04 16:11 Dave Johnson
  2005-08-04 16:46 ` Eduardo Spremolla
  2005-08-05  5:48 ` Grant Taylor
  0 siblings, 2 replies; 12+ messages in thread
From: Dave Johnson @ 2005-08-04 16:11 UTC (permalink / raw)
  To: netfilter

Hi All:
I need help to setup my box with some complicated configuration.

I have a box with 4 Ethernet Interfaces:

Eth0: 172.16.6.10
Eth1: 192.168.0.1/24
Eth2: 10.1.1.0/24      ------> Connected to a box A with an IP address of 192.168.0.2
Eth2: 21.21.21.9/24    ------> Connected to a box C with an IP address of 192.168.0.1 (which is
same as IP address of Eth1)

Loopback Interface: 192.168.0.3
                                                                         ------------
                                            -----------------------------|  Box D   |
                              172.16.6.10   |                            |          |
         Mgmt Port<---------------------|   |                            ------------
                                        |   | 192.168.0.1                 192.168.0.2
                                   Eth0 |   | Eth1 (for internal network)
 ------------                        ------------                        ------------
 |  Box A   |________________________|  Box B   |________________________|  Box C   |
 |          |                    Eth2|          | Eth3                   |          |
 ------------     10.1.1.0/24        ------------       21.21.21.9/24    ------------             
  192.168.0.1                         192.168.0.3                         192.168.0.2

Here is what I want to do:
Packets from Eth2 should only go to Eth3 except the ones detined to Eth0's IP.
Packets from Eth3 should only go to Eth2 except the ones detined to Eth0's IP.
Local packets destined for Eth1's ip and its subnet should be forwarded via Eth1 only.
Packets from Eth1 can only be directed to Eth0. 

This will allow me to ping Box A (192.168.0.1) from Box C (192.168.0.2) without getting a response
from Box B who has local interface with address 192.168.0.1.

Basically I want to isolate interfaces in 2 groups:
One with Eth0, Eth2 and Eth3
Second with Eth0 and Eth1.

I tried IPtables and multiple routing tables but it did not work. I think I need some directions
as to how would this even be possible.

Thanks

Dave.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


^ permalink raw reply	[flat|nested] 12+ messages in thread
* RE: Help needed for a box with 4 Ethernet Interfaces
@ 2005-08-04 17:00 Derick Anderson
  0 siblings, 0 replies; 12+ messages in thread
From: Derick Anderson @ 2005-08-04 17:00 UTC (permalink / raw)
  To: netfilter

Wow. First, let's give some names to each box so we both know which one
I'm referring to. The box (box "B" in your diagram) with 4 interfaces is
your router. Boxes A, C, and D will be called as "internal boxes" as a
group.

You must realize that you can't set up interfaces on your router with
the same IP address. If you want Box A to connect to Box B, /through/
the router (rather than say, through a hub), then you must either
separate the subnets or bridge the two interfaces.

Secondly, each of your internal boxes must use the same subnet as the
interface they connect to. For example, according to your diagram, Box C
has an address of 192.168.0.2, and is attempting to connect to
21.21.21.9. Unless your netmask (usually 255.255.255.0) is 0.0.0.0, Box
C will not be connecting to your router by design.

Third, a loopback interface is not a physical interface, it is a virtual
one and is set to 127.0.0.1 (as I recall the entire 127.0.0.0/8 network
is reserved for it). Your box cannot function as a "loopback interface."

Now as to your goals - can I ask what exactly you are trying to do? In
order to separate each of these boxes, I'll redo your diagram for you:

 
------------
 
-----------------------------|  Box D   |
                              172.16.6.10   |      192.168.0.1/24
|          |
         Mgmt Port<---------------------|   |
------------
                                        |   | 192.168.0.1
192.168.0.2
                                   Eth0 |   | Eth1 (for internal
network)
 ------------                        ------------
------------
 |  Box A   |________________________|  Box B
|________________________|  Box C   |
 |          |                    Eth2|          | Eth3
|          |
 ------------     10.1.1.0/24        ------------       21.21.21.0/24
------------             
  10.1.1.1                       10.1.1.1     21.21.21.1
21.21.21.2

This will allow your boxes (given the correct routing tables on your
router) to actually communicate with the router. You can then use
iptables to decide which packets can go where. For (a partial) example:

$IPT -P FORWARD DROP
$IPT -A FORWARD -i eth2 -o eth3 -j ACCEPT
$IPT -A FORWARD -i eth3 -o eth2 -j ACCEPT
$IPT -A FORWARD -i eth0 -j ACCEPT
$IPT -A FORWARD -o eth0 -j ACCEPT

So what you are doing here is accepting packets that are coming [i]nto
eth2 and going [o]ut eth3, into eth3 and out eth2, and anything destined
to go in or out eth0 (determined by your routing tables) will be
allowed. 

You could (and should) use iptables to ensure that the appropriate IPs
are going out the appropriate interfaces, in addition to the proper
ports, but there's a bunch of neat guides on www.netfilter.org you
should look at before doing too much on your own. You should also
consider learning a lot more about networking.

Hope that helps, and if I missed anything here someone will point it out
(that's my money-back guarantee).

Derick Anderson


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Dave Johnson
Sent: Thursday, August 04, 2005 12:12 PM
To: netfilter@lists.netfilter.org
Subject: Help needed for a box with 4 Ethernet Interfaces

Hi All:
I need help to setup my box with some complicated configuration.

I have a box with 4 Ethernet Interfaces:

Eth0: 172.16.6.10
Eth1: 192.168.0.1/24
Eth2: 10.1.1.0/24      ------> Connected to a box A with an IP address
of 192.168.0.2
Eth2: 21.21.21.9/24    ------> Connected to a box C with an IP address
of 192.168.0.1 (which is
same as IP address of Eth1)

Loopback Interface: 192.168.0.3
 
------------
 
-----------------------------|  Box D   |
                              172.16.6.10   |
|          |
         Mgmt Port<---------------------|   |
------------
                                        |   | 192.168.0.1
192.168.0.2
                                   Eth0 |   | Eth1 (for internal
network)
 ------------                        ------------
------------
 |  Box A   |________________________|  Box B
|________________________|  Box C   |
 |          |                    Eth2|          | Eth3
|          |
 ------------     10.1.1.0/24        ------------       21.21.21.9/24
------------             
  192.168.0.1                         192.168.0.3
192.168.0.2

Here is what I want to do:
Packets from Eth2 should only go to Eth3 except the ones detined to
Eth0's IP.
Packets from Eth3 should only go to Eth2 except the ones detined to
Eth0's IP.
Local packets destined for Eth1's ip and its subnet should be forwarded
via Eth1 only.
Packets from Eth1 can only be directed to Eth0. 

This will allow me to ping Box A (192.168.0.1) from Box C (192.168.0.2)
without getting a response from Box B who has local interface with
address 192.168.0.1.

Basically I want to isolate interfaces in 2 groups:
One with Eth0, Eth2 and Eth3
Second with Eth0 and Eth1.

I tried IPtables and multiple routing tables but it did not work. I
think I need some directions as to how would this even be possible.

Thanks

Dave.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 



^ permalink raw reply	[flat|nested] 12+ messages in thread
* RE: Help needed for a box with 4 Ethernet Interfaces
@ 2005-08-04 17:17 Derick Anderson
  2005-08-04 17:24 ` Dave Johnson
  0 siblings, 1 reply; 12+ messages in thread
From: Derick Anderson @ 2005-08-04 17:17 UTC (permalink / raw)
  To: netfilter

If the drawing is messed up I apologize - Outlook doesn't seem to like
plain-text stuff.

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Derick
Anderson
Sent: Thursday, August 04, 2005 1:01 PM
To: netfilter@lists.netfilter.org
Subject: RE: Help needed for a box with 4 Ethernet Interfaces

Wow. First, let's give some names to each box so we both know which one
I'm referring to. The box (box "B" in your diagram) with 4 interfaces is
your router. Boxes A, C, and D will be called as "internal boxes" as a
group.

You must realize that you can't set up interfaces on your router with
the same IP address. If you want Box A to connect to Box B, /through/
the router (rather than say, through a hub), then you must either
separate the subnets or bridge the two interfaces.

Secondly, each of your internal boxes must use the same subnet as the
interface they connect to. For example, according to your diagram, Box C
has an address of 192.168.0.2, and is attempting to connect to
21.21.21.9. Unless your netmask (usually 255.255.255.0) is 0.0.0.0, Box
C will not be connecting to your router by design.

Third, a loopback interface is not a physical interface, it is a virtual
one and is set to 127.0.0.1 (as I recall the entire 127.0.0.0/8 network
is reserved for it). Your box cannot function as a "loopback interface."

Now as to your goals - can I ask what exactly you are trying to do? In
order to separate each of these boxes, I'll redo your diagram for you:

 
------------
 
-----------------------------|  Box D   |
                              172.16.6.10   |      192.168.0.1/24
|          |
         Mgmt Port<---------------------|   |
------------
                                        |   | 192.168.0.1
192.168.0.2
                                   Eth0 |   | Eth1 (for internal
network)
 ------------                        ------------
------------
 |  Box A   |________________________|  Box B
|________________________|  Box C   |
 |          |                    Eth2|          | Eth3
|          |
 ------------     10.1.1.0/24        ------------       21.21.21.0/24
------------             
  10.1.1.1                       10.1.1.1     21.21.21.1
21.21.21.2

This will allow your boxes (given the correct routing tables on your
router) to actually communicate with the router. You can then use
iptables to decide which packets can go where. For (a partial) example:

$IPT -P FORWARD DROP
$IPT -A FORWARD -i eth2 -o eth3 -j ACCEPT $IPT -A FORWARD -i eth3 -o
eth2 -j ACCEPT $IPT -A FORWARD -i eth0 -j ACCEPT $IPT -A FORWARD -o eth0
-j ACCEPT

So what you are doing here is accepting packets that are coming [i]nto
eth2 and going [o]ut eth3, into eth3 and out eth2, and anything destined
to go in or out eth0 (determined by your routing tables) will be
allowed. 

You could (and should) use iptables to ensure that the appropriate IPs
are going out the appropriate interfaces, in addition to the proper
ports, but there's a bunch of neat guides on www.netfilter.org you
should look at before doing too much on your own. You should also
consider learning a lot more about networking.

Hope that helps, and if I missed anything here someone will point it out
(that's my money-back guarantee).

Derick Anderson


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Dave Johnson
Sent: Thursday, August 04, 2005 12:12 PM
To: netfilter@lists.netfilter.org
Subject: Help needed for a box with 4 Ethernet Interfaces

Hi All:
I need help to setup my box with some complicated configuration.

I have a box with 4 Ethernet Interfaces:

Eth0: 172.16.6.10
Eth1: 192.168.0.1/24
Eth2: 10.1.1.0/24      ------> Connected to a box A with an IP address
of 192.168.0.2
Eth2: 21.21.21.9/24    ------> Connected to a box C with an IP address
of 192.168.0.1 (which is
same as IP address of Eth1)

Loopback Interface: 192.168.0.3
 
------------
 
-----------------------------|  Box D   |
                              172.16.6.10   |
|          |
         Mgmt Port<---------------------|   |
------------
                                        |   | 192.168.0.1
192.168.0.2
                                   Eth0 |   | Eth1 (for internal
network)
 ------------                        ------------
------------
 |  Box A   |________________________|  Box B
|________________________|  Box C   |
 |          |                    Eth2|          | Eth3
|          |
 ------------     10.1.1.0/24        ------------       21.21.21.9/24
------------             
  192.168.0.1                         192.168.0.3
192.168.0.2

Here is what I want to do:
Packets from Eth2 should only go to Eth3 except the ones detined to
Eth0's IP.
Packets from Eth3 should only go to Eth2 except the ones detined to
Eth0's IP.
Local packets destined for Eth1's ip and its subnet should be forwarded
via Eth1 only.
Packets from Eth1 can only be directed to Eth0. 

This will allow me to ping Box A (192.168.0.1) from Box C (192.168.0.2)
without getting a response from Box B who has local interface with
address 192.168.0.1.

Basically I want to isolate interfaces in 2 groups:
One with Eth0, Eth2 and Eth3
Second with Eth0 and Eth1.

I tried IPtables and multiple routing tables but it did not work. I
think I need some directions as to how would this even be possible.

Thanks

Dave.



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 




^ permalink raw reply	[flat|nested] 12+ messages in thread
* RE: Help needed for a box with 4 Ethernet Interfaces
@ 2005-08-04 17:43 Derick Anderson
  2005-08-04 19:47 ` Dave Johnson
  0 siblings, 1 reply; 12+ messages in thread
From: Derick Anderson @ 2005-08-04 17:43 UTC (permalink / raw)
  To: netfilter

OK, let me see if I understand: Boxes A and C have 2 interfaces, Box D
has one, and Box B has 4. What are the other two interfaces doing on A
and C? Each pair of interfaces that connect physically *must* be on the
same subnet, period. You can have two boxes with the same IP in the same
subnet, but there must be a different subnet between them (requiring not
one but two routers) or the routes will *never* work. An example of this
would be a client on a private network connecting to a server on a
private network via the Internet (the (x)'s are routers, like your box
B):

Client [192.168.0.2] > (x) > Internet > (x) > Server [192.168.0.2]

You simply cannot do this:

Client [192.168.0.2] > (x) > Client [192.168.0.2]

whether traffic is allowed through or not. The router can't do it. If
each box is in it's own subnet, then you'll be fine. If you want two
boxes in the same subnet, put them both on a hub or switch. Without
knowing the purpose of this configuration I'm not sure I can help out
much more than that.

Derick Anderson

-----Original Message-----
From: Dave Johnson [mailto:davejohnson_hifi@yahoo.com] 
Sent: Thursday, August 04, 2005 1:25 PM
To: Derick Anderson; netfilter@lists.netfilter.org
Subject: RE: Help needed for a box with 4 Ethernet Interfaces


Derick:

Thanks very much for your response. However as I mentioned in my
previous email, box A and C have
2 interfaces. 
Issue here is that any packet coming in on Eth2/Eth3 for 192.168.0.x
needs to be routed to
Eth2/Eth3 only, not to Eth1 (which is local interface). For example, if
Box C pings Box A on 192.168.0.1, Box B intercepts that becuase it has
192.168.0.1 as its local interface and starts to respond back to Box C.

Thanks

Dave



--- Derick Anderson <danderson@vikus.com> wrote:

> If the drawing is messed up I apologize - Outlook doesn't seem to like

> plain-text stuff.
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Derick 
> Anderson
> Sent: Thursday, August 04, 2005 1:01 PM
> To: netfilter@lists.netfilter.org
> Subject: RE: Help needed for a box with 4 Ethernet Interfaces
> 
> Wow. First, let's give some names to each box so we both know which 
> one I'm referring to. The box (box "B" in your diagram) with 4 
> interfaces is your router. Boxes A, C, and D will be called as 
> "internal boxes" as a group.
> 
> You must realize that you can't set up interfaces on your router with 
> the same IP address. If you want Box A to connect to Box B, /through/ 
> the router (rather than say, through a hub), then you must either 
> separate the subnets or bridge the two interfaces.
> 
> Secondly, each of your internal boxes must use the same subnet as the 
> interface they connect to. For example, according to your diagram, Box

> C has an address of 192.168.0.2, and is attempting to connect to 
> 21.21.21.9. Unless your netmask (usually 255.255.255.0) is 0.0.0.0, 
> Box C will not be connecting to your router by design.
> 
> Third, a loopback interface is not a physical interface, it is a 
> virtual one and is set to 127.0.0.1 (as I recall the entire 
> 127.0.0.0/8 network is reserved for it). Your box cannot function as a
"loopback interface."
> 
> Now as to your goals - can I ask what exactly you are trying to do? In

> order to separate each of these boxes, I'll redo your diagram for you:
> 
>  
> ------------
>  
> -----------------------------|  Box D   |
>                               172.16.6.10   |      192.168.0.1/24
> |          |
>          Mgmt Port<---------------------|   |
> ------------
>                                         |   | 192.168.0.1
> 192.168.0.2
>                                    Eth0 |   | Eth1 (for internal
> network)
>  ------------                        ------------
> ------------
>  |  Box A   |________________________|  Box B
> |________________________|  Box C   |
>  |          |                    Eth2|          | Eth3
> |          |
>  ------------     10.1.1.0/24        ------------       21.21.21.0/24
> ------------             
>   10.1.1.1                       10.1.1.1     21.21.21.1
> 21.21.21.2
> 
> This will allow your boxes (given the correct routing tables on your
> router) to actually communicate with the router. You can then use 
> iptables to decide which packets can go where. For (a partial)
example:
> 
> $IPT -P FORWARD DROP
> $IPT -A FORWARD -i eth2 -o eth3 -j ACCEPT $IPT -A FORWARD -i eth3 -o
> eth2 -j ACCEPT $IPT -A FORWARD -i eth0 -j ACCEPT $IPT -A FORWARD -o 
> eth0 -j ACCEPT
> 
> So what you are doing here is accepting packets that are coming [i]nto
> eth2 and going [o]ut eth3, into eth3 and out eth2, and anything 
> destined to go in or out eth0 (determined by your routing tables) will

> be allowed.
> 
> You could (and should) use iptables to ensure that the appropriate IPs

> are going out the appropriate interfaces, in addition to the proper 
> ports, but there's a bunch of neat guides on www.netfilter.org you 
> should look at before doing too much on your own. You should also 
> consider learning a lot more about networking.
> 
> Hope that helps, and if I missed anything here someone will point it 
> out (that's my money-back guarantee).
> 
> Derick Anderson
> 
> 
> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Dave 
> Johnson
> Sent: Thursday, August 04, 2005 12:12 PM
> To: netfilter@lists.netfilter.org
> Subject: Help needed for a box with 4 Ethernet Interfaces
> 
> Hi All:
> I need help to setup my box with some complicated configuration.
> 
> I have a box with 4 Ethernet Interfaces:
> 
> Eth0: 172.16.6.10
> Eth1: 192.168.0.1/24
> Eth2: 10.1.1.0/24      ------> Connected to a box A with an IP address
> of 192.168.0.2
> Eth2: 21.21.21.9/24    ------> Connected to a box C with an IP address
> of 192.168.0.1 (which is
> same as IP address of Eth1)
> 
> Loopback Interface: 192.168.0.3
>  
> ------------
>  
> -----------------------------|  Box D   |
>                               172.16.6.10   |
> |          |
>          Mgmt Port<---------------------|   |
> ------------
>                                         |   | 192.168.0.1
> 192.168.0.2
>                                    Eth0 |   | Eth1 (for internal
> network)
>  ------------                        ------------
> ------------
>  |  Box A   |________________________|  Box B
> |________________________|  Box C   |
>  |          |                    Eth2|          | Eth3
> |          |
>  ------------     10.1.1.0/24        ------------       21.21.21.9/24
> ------------             
>   192.168.0.1                         192.168.0.3
> 192.168.0.2
> 
> Here is what I want to do:
> Packets from Eth2 should only go to Eth3 except the ones detined to 
> Eth0's IP.
> Packets from Eth3 should only go to Eth2 except the ones detined to 
> Eth0's IP.
> Local packets destined for Eth1's ip and its subnet should be 
> forwarded via Eth1 only.
> Packets from Eth1 can only be directed to Eth0. 
> 
> This will allow me to ping Box A (192.168.0.1) from Box C 
> (192.168.0.2) without getting a response from Box B who has local 
> interface with address 192.168.0.1.
> 
> Basically I want to isolate interfaces in 2 groups:
> One with Eth0, Eth2 and Eth3
> Second with Eth0 and Eth1.
> 
> I tried IPtables and multiple routing tables but it did not work. I 
> think I need some directions as to how would this even be possible.
> 
> Thanks
> 
> Dave.
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com
> 
> 
> 
> 



		
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs 
 


^ permalink raw reply	[flat|nested] 12+ messages in thread
* RE: Help needed for a box with 4 Ethernet Interfaces
@ 2005-08-04 20:40 Derick Anderson
  2005-08-05 21:00 ` J.T. Moore
  0 siblings, 1 reply; 12+ messages in thread
From: Derick Anderson @ 2005-08-04 20:40 UTC (permalink / raw)
  To: netfilter

OK that makes a lot more sense. You still have some problems: the subnet
which Box B/eth3 and Box C/eth1 are on is 21.21.21.9/24. Depending on
how your network card interprets this, I believe it will ignore all IPs
below 21.21.21.9 (including both box B and C).

Your second problem is having two interfaces on a router inside the same
subnet - 192.168.0.0/24. How is the router supposed to know which
interface to use when routing a packet to 192.168.0.0/24? You'd have to
create a static route (and give it a higher priority) for each IP, and
the only way *that* would work is if you connected (using a hub) Box
B/eth3 with Box A and C's eth0. Do that and you've got a huge mess on
your hands with multiple paths to end hosts.

Your third problem is that you want to ping 192.168.0.1 from Box C and
have Box B respond as if it were Box A. This won't work because Box C
has an interface with IP address of 192.168.0.2 and presumably a netmask
of 255.255.255.0. So when Box C sends a packet, it says to itself, "I've
got an interface (eth0) on subnet 192.168.0.0/255.255.255.0, I'll use
that to send my ping." But that interface isn't connected to anything
(according to your diagram). So nothing happens.

I really don't see a way this would work, even with iptables. You are
going against every fundamental of networking with this setup. There are
much simpler ways to isolate boxes A and C from D and have them all pass
through the same router, using routes and iptables, as they were
intended to be used.

-----Original Message-----
From: Dave Johnson [mailto:davejohnson_hifi@yahoo.com] 
Sent: Thursday, August 04, 2005 3:47 PM
To: Derick Anderson; netfilter@lists.netfilter.org
Subject: RE: Help needed for a box with 4 Ethernet Interfaces


Derick:
As I mentioned earlier, box A and C have 2 interfaces. One of them has
192.168.0.x based address and the other one is connected to Box B via
Eth1.
Here is how it looks like: 
 
------------
 
-----------------------------|  Box D   |
                              172.16.6.10   |
|          |
         Mgmt Port<---------------------|   |
------------
                                        |   | 192.168.0.1
192.168.0.2
                                   Eth0 |   | Eth1 (for internal
network)
 ------------                        ------------
------------
 |  Box A   |10.1.1.1--------10.1.1.2|  Box B   |21.21.21.2
-----21.21.21.1|  Box C   |
 |          |Eth1                Eth2|          | Eth3
Eth1|          |
 ------------     10.1.1.0/24        ------------       21.21.21.9/24
------------
  192.168.0.1(eth0)                   192.168.0.3
192.168.0.2 (eth0)


Eth2 and Eth3 on Box B are data interfaces, Eth1 is for internal use,
and Eth0 is mgmt port. 

Purpose of this configuration is to isolate interfaces on Box B into 2
groups so data traffic can only flow among Eth0, Eth2 and Eth3.
Currently, data packets destined for dest addr 192.168.0.1 are handled
by Box B and are not forwrded to Eth2 for Box A. 

Thanks

Dave.


--- Derick Anderson <danderson@vikus.com> wrote:

> OK, let me see if I understand: Boxes A and C have 2 interfaces, Box D

> has one, and Box B has 4. What are the other two interfaces doing on A

> and C? Each pair of interfaces that connect physically *must* be on 
> the same subnet, period. You can have two boxes with the same IP in 
> the same subnet, but there must be a different subnet between them 
> (requiring not one but two routers) or the routes will *never* work. 
> An example of this would be a client on a private network connecting 
> to a server on a private network via the Internet (the (x)'s are 
> routers, like your box
> B):
> 
> Client [192.168.0.2] > (x) > Internet > (x) > Server [192.168.0.2]
> 
> You simply cannot do this:
> 
> Client [192.168.0.2] > (x) > Client [192.168.0.2]
> 
> whether traffic is allowed through or not. The router can't do it. If 
> each box is in it's own subnet, then you'll be fine. If you want two 
> boxes in the same subnet, put them both on a hub or switch. Without 
> knowing the purpose of this configuration I'm not sure I can help out 
> much more than that.
> 
> Derick Anderson
> 
> -----Original Message-----
> From: Dave Johnson [mailto:davejohnson_hifi@yahoo.com]
> Sent: Thursday, August 04, 2005 1:25 PM
> To: Derick Anderson; netfilter@lists.netfilter.org
> Subject: RE: Help needed for a box with 4 Ethernet Interfaces
> 
> 
> Derick:
> 
> Thanks very much for your response. However as I mentioned in my 
> previous email, box A and C have
> 2 interfaces. 
> Issue here is that any packet coming in on Eth2/Eth3 for 192.168.0.x 
> needs to be routed to
> Eth2/Eth3 only, not to Eth1 (which is local interface). For example, 
> if Box C pings Box A on 192.168.0.1, Box B intercepts that becuase it 
> has
> 192.168.0.1 as its local interface and starts to respond back to Box
C.
> 
> Thanks
> 
> Dave
> 
> 
> 
> --- Derick Anderson <danderson@vikus.com> wrote:
> 
> > If the drawing is messed up I apologize - Outlook doesn't seem to 
> > like
> 
> > plain-text stuff.
> > 
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Derick 
> > Anderson
> > Sent: Thursday, August 04, 2005 1:01 PM
> > To: netfilter@lists.netfilter.org
> > Subject: RE: Help needed for a box with 4 Ethernet Interfaces
> > 
> > Wow. First, let's give some names to each box so we both know which 
> > one I'm referring to. The box (box "B" in your diagram) with 4 
> > interfaces is your router. Boxes A, C, and D will be called as 
> > "internal boxes" as a group.
> > 
> > You must realize that you can't set up interfaces on your router 
> > with the same IP address. If you want Box A to connect to Box B, 
> > /through/ the router (rather than say, through a hub), then you must

> > either separate the subnets or bridge the two interfaces.
> > 
> > Secondly, each of your internal boxes must use the same subnet as 
> > the interface they connect to. For example, according to your 
> > diagram, Box
> 
> > C has an address of 192.168.0.2, and is attempting to connect to 
> > 21.21.21.9. Unless your netmask (usually 255.255.255.0) is 0.0.0.0, 
> > Box C will not be connecting to your router by design.
> > 
> > Third, a loopback interface is not a physical interface, it is a 
> > virtual one and is set to 127.0.0.1 (as I recall the entire
> > 127.0.0.0/8 network is reserved for it). Your box cannot function as

> > a
> "loopback interface."
> > 
> > Now as to your goals - can I ask what exactly you are trying to do? 
> > In
> 
> > order to separate each of these boxes, I'll redo your diagram for
you:
> > 
> >  
> > ------------
> >  
> > -----------------------------|  Box D   |
> >                               172.16.6.10   |      192.168.0.1/24
> > |          |
> >          Mgmt Port<---------------------|   |
> > ------------
> >                                         |   | 192.168.0.1
> > 192.168.0.2
> >                                    Eth0 |   | Eth1 (for internal
> > network)
> >  ------------                        ------------
> > ------------
> >  |  Box A   |________________________|  Box B
> > |________________________|  Box C   |
> >  |          |                    Eth2|          | Eth3
> > |          |
> >  ------------     10.1.1.0/24        ------------
21.21.21.0/24
> > ------------             
> >   10.1.1.1                       10.1.1.1     21.21.21.1
> > 21.21.21.2
> > 
> > This will allow your boxes (given the correct routing tables on your
> > router) to actually communicate with the router. You can then use 
> > iptables to decide which packets can go where. For (a partial)
> example:
> > 
> > $IPT -P FORWARD DROP
> > $IPT -A FORWARD -i eth2 -o eth3 -j ACCEPT $IPT -A FORWARD -i eth3 -o
> > eth2 -j ACCEPT $IPT -A FORWARD -i eth0 -j ACCEPT $IPT -A FORWARD -o 
> > eth0 -j ACCEPT
> > 
> > So what you are doing here is accepting packets that are coming 
> > [i]nto
> > eth2 and going [o]ut eth3, into eth3 and out eth2, and anything 
> > destined to go in or out eth0 (determined by your routing tables) 
> > will
> 
> > be allowed.
> > 
> > You could (and should) use iptables to ensure that the appropriate 
> > IPs
> 
> > are going out the appropriate interfaces, in addition to the proper 
> > ports, but there's a bunch of neat guides on www.netfilter.org you 
> > should look at before doing too much on your own. You should also 
> > consider learning a lot more about networking.
> > 
> > Hope that helps, and if I missed anything here someone will point it

> > out (that's my money-back guarantee).
> > 
> > Derick Anderson
> > 
> > 
> > -----Original Message-----
> > From: netfilter-bounces@lists.netfilter.org
> > [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Dave 
> > Johnson
> > Sent: Thursday, August 04, 2005 12:12 PM
> > To: netfilter@lists.netfilter.org
> > Subject: Help needed for a box with 4 Ethernet Interfaces
> > 
> > Hi All:
> > I need help to setup my box with some complicated configuration.
> > 
> > I have a box with 4 Ethernet Interfaces:
> > 
> > Eth0: 172.16.6.10
> > Eth1: 192.168.0.1/24
> > Eth2: 10.1.1.0/24      ------> Connected to a box A with an IP
address
> > of 192.168.0.2
> > Eth2: 21.21.21.9/24    ------> Connected to a box C with an IP
address
> > of 192.168.0.1 (which is
> > same as IP address of Eth1)
> > 
> > Loopback Interface: 192.168.0.3
> >  
> > ------------
> >  
> > -----------------------------|  Box D   |
> >                               172.16.6.10   |
> > |          |
> >          Mgmt Port<---------------------|   |
> > ------------
> >                                         |   | 192.168.0.1
> > 192.168.0.2
> >                                    Eth0 |   | Eth1 (for internal
> > network)
> >  ------------                        ------------
> > ------------
> >  |  Box A   |________________________|  Box B
> > |________________________|  Box C   |
> >  |          |                    Eth2|          | Eth3
> > |          |
> >  ------------     10.1.1.0/24        ------------
21.21.21.9/24
> > ------------             
> >   192.168.0.1                         192.168.0.3
> > 192.168.0.2
> > 
> > Here is what I want to do:
> > Packets from Eth2 should only go to Eth3 except the ones detined to 
> > Eth0's IP.
> > Packets from Eth3 should only go to Eth2 except the ones detined to 
> > Eth0's IP.
> > Local packets destined for Eth1's ip and its subnet should be 
> > forwarded via Eth1 only.
> > Packets from Eth1 can only be directed to Eth0. 
> > 
> > This will allow me to ping Box A (192.168.0.1) from Box C
> > (192.168.0.2) without getting a response from Box B who has local 
> > interface with address 192.168.0.1.
> > 
> > Basically I want to isolate interfaces in 2 groups:
> > One with Eth0, Eth2 and Eth3
> > Second with Eth0 and Eth1.
> 
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 


^ permalink raw reply	[flat|nested] 12+ messages in thread
end of thread, other threads:[~2005-08-05 21:00 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-04 16:11 Help needed for a box with 4 Ethernet Interfaces Dave Johnson
2005-08-04 16:46 ` Eduardo Spremolla
2005-08-04 17:15   ` Dave Johnson
2005-08-04 17:25     ` Dave Johnson
2005-08-05  5:48 ` Grant Taylor
  -- strict thread matches above, loose matches on Subject: below --
2005-08-04 17:00 Derick Anderson
2005-08-04 17:17 Derick Anderson
2005-08-04 17:24 ` Dave Johnson
2005-08-04 17:43 Derick Anderson
2005-08-04 19:47 ` Dave Johnson
2005-08-04 20:40 Derick Anderson
2005-08-05 21:00 ` J.T. Moore

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox