[ale] turn linux into a router??

Joseph A. Knapka jknapka at earthlink.net
Thu Aug 2 12:26:09 EDT 2001 

djinn at djinnspace.com wrote:
> 
> Here's what I need to do:
> 
> assume: machine with eth0   a.b.c.d     and eth1  1.2.3.1   (both
> external ranges)
> assume: three machines with external range IP 1.2.3.2 - 1.2.3.5
> network:
>                             INTERNET
>                                         |
>                                 a.b.c.d (eth0)
>                                 1.2.3.1 (eth1)
>                                         |
>                                         |
>                     ----------------
>                     |                    |                        |
>             1.2.3.2            1.2.3.3            1.2.3.4
 
> -take requests on port 53 and route them to 1.2.3.2:53
> -take requests on ports 80/443/21 and route them to 1.2.3.4

These are both simple. If you had done nothing at all besides
"echo 1 > /proc/sys/net/ipv4/ip_forward", then you would have
this (assuming appropriate routes exist). If your goal
is to -prevent- any -other- access to the machines on
the 1.2.3.* network, then that can be accomplished by
general DENY or REJECT rules, and some specific ACCEPT
rules to allow the data you want to allow. But the firewall
rules are a separate issue from the routing.

> -stateful inspection of packets (I've already got this bit in
> place...using iptables and some custom rules based on bastille)

Then I won't say anything about this :-)
 
> Please note, both network a.b.c.d and 1.2.3.4-5 are externally visible
> IP addresses, in other words, a.b.c.d site in front of 1.2.3.4 to act
> as  a firewall but 1.2.3.4 is visible from the outside.
> 
> I've looked at the Linux Routing Project but it seems to be overly
> concerned with NAT...which isn't *exactly* what I'm doing since people
> from the outside will be querying 1.2.3.x directly with no knowledge of
> a.b.c.d, and receiving responses from 1.2.3.x directly...so a.b.c.d
> needs to be transparent here to this process.
> 
> I'm so confused.  I'm not 100% sure exactly what I need to accomplish
> this.  And I want to do it with a linux box.  And I need to have it done
> days ago. ;)
> If it helps any, we've got one IP assigned from our co-lo on the a.b.c.d
> range, and then 4 IP's on the 1.2.3.x range that expect to use 1.2.3.1
> as the gateway back to the internet.

It sounds like you're pretty much already done.

Good luck,

-- Joe Knapka
"You know how many remote castles there are along the gorges? You
 can't MOVE for remote castles!" -- Lu Tze re. Uberwald
// Linux MM Documentation in progress:
// http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
2nd Lbl A + 1 = 2nd Pause 2nd Prt GTO 2 R/S
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list