From: Grant Taylor <gtaylor@riverviewtech.net>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: Basic Routing
Date: Wed, 05 Nov 2008 09:56:15 -0600 [thread overview]
Message-ID: <4911C21F.5000907@riverviewtech.net> (raw)
In-Reply-To: <018001c93f06$6d8869e0$48993da0$@info>
On 11/04/08 23:21, Rob Sterenborg wrote:
> Grant is doing too good a job... :-)
Thank you. :)
> Since these IP's are all private you do NOT need NAT.
Agreed.
> Do NOT use NAT in this situation unless you tried plain routing and for
> some fancy reason, strange situation or requirement you find out you
> might actually need NAT here. But in your case I don't think you will
> come to that conclusion unless there's something you haven't told us yet
> (again: I don't think so).
Agreed.
> Just enable and allow all forwarding, add the routes you need and your
> magic box will shine like a magic lantern. :^)
Um, mostly agreed.
> iptables -P FORWARD ACCEPT
> iptables -F FORWARD
> echo 1 > /proc/sys/net/ipv4/ip_forward
> route add -net [...etc...]
The part that I want to point out is that the routes that you add will
not be on the Linux router, but rather the systems on the networks.
Let's look at this example.
:
+-+-+ +---+
| C +---(z)---+ 3 |
+---+ | +---+
|
: | :
+-+-+ +-+-+ +-+-+
| A +---(x)---+ R +---(y)---+ B |
+---+ | +---+ | +---+
| |
+---+ | | +---+
| 1 +----+ +----+ 2 |
+---+ +---+
Let's say that this is three independent networks (x, y, and z) with
their own internet connections (A, B, and C) that you are trying to tie
together with the Linux router (R). Each host (1, 2, and 3) will use
their own internet router (A, B, and C respectively) as their default
gateway.
One of two things will happen when host 1 wants to talk to host 3.
1) Host 1 will not have a route to network z that host 3 is on, so
host 1 will send the traffic to its default gateway A which would have
to have a route to send the traffic to router R.
2) Host 1 will have a route to network z by way of router R and send
traffic directly to router R which will then send the traffic to host 3.
> No, this is not secure, but that's not what we're talking about here.
> This way, your box will effectively be a router. No fancy filtering,
> NAT-ing, whatever.
Correct. However that is not to say that filtering and / or NATing
can't be added if you want to, because they can when you are ready /
want to do something like that.
> Have a look at http://www.fwbuilder.org/.
> I'm not using it, I'm not endorsing it, don't know anything of how it
> builds it's ruleset, etc. It just looks nice if you're coming from MS
> ISA and you might actually find it handy.
With out having ever used (but have heard of) FWBuilder my self I can't
comment on it. However considering how Daniel is asking how things work
and appears to be trying to learn, I don't think jumping directly in to
some sort of application that hides this knowledge from him is that good
of an idea.
Grant. . . .
next prev parent reply other threads:[~2008-11-05 15:56 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-02 16:15 Basic Routing Daniel L. Miller
2008-11-02 17:03 ` Rob Sterenborg
2008-11-02 18:43 ` Daniel L. Miller
2008-11-02 19:53 ` Rob Sterenborg
2008-11-03 1:59 ` Daniel L. Miller
2008-11-02 20:04 ` Grant Taylor
2008-11-02 20:51 ` Grant Taylor
2008-11-03 1:52 ` Daniel L. Miller
2008-11-03 2:34 ` Grant Taylor
2008-11-03 19:29 ` Daniel L. Miller
2008-11-03 19:39 ` Daniel L. Miller
2008-11-03 20:26 ` Grant Taylor
2008-11-05 0:00 ` Daniel L. Miller
2008-11-05 5:21 ` Rob Sterenborg
2008-11-05 15:56 ` Grant Taylor [this message]
2008-11-05 18:22 ` Rob Sterenborg
2008-11-05 18:30 ` Grant Taylor
2008-11-05 19:49 ` Rob Sterenborg
2008-11-05 15:24 ` Grant Taylor
2008-11-03 23:40 ` Amos Jeffries
2008-11-04 23:13 ` Grant Taylor
2008-11-04 23:53 ` Daniel L. Miller
2008-11-05 12:24 ` John Haxby
2008-11-05 17:31 ` Grant Taylor
2010-09-20 21:40 ` Daniel L. Miller
2010-09-20 23:41 ` Jan Engelhardt
2010-09-21 3:34 ` Grant Taylor
2008-11-05 17:17 ` Grant Taylor
2008-11-02 19:06 ` Grant Taylor
2008-11-03 10:54 ` Pascal Hambourg
2008-11-03 16:35 ` Grant Taylor
-- strict thread matches above, loose matches on Subject: below --
2014-10-04 1:10 Basic routing John Smithee
2014-10-04 1:24 ` John Smithee
2014-10-04 8:50 ` George Botye
2014-10-04 1:34 ` Neal Murphy
2014-10-04 2:52 ` John Smithee
2014-10-04 3:05 ` Dennis Jacobfeuerborn
2014-10-04 5:02 ` Neal Murphy
2014-10-04 7:04 ` John Lister
2014-10-04 11:06 ` John Smithee
2014-10-04 13:56 ` Thomas Bätzler
2014-10-04 15:07 ` John Smithee
2014-10-04 17:44 ` John Smithee
2014-10-05 15:41 ` John Lister
2014-10-06 9:41 ` André Paulsberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4911C21F.5000907@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).