Re: Routing issues

To: debian-firewall@lists.debian.org
Subject: Re: Routing issues
From: Michael Wood <wood@kingsley.co.za>
Date: Wed, 20 Jun 2001 12:37:17 +0200
Message-id: <20010620123717.A22629@lion.kingsley.co.za>
Mail-followup-to: Michael Wood <wood@kingsley.co.za>, debian-firewall@lists.debian.org
In-reply-to: <20010620121546.A32239@luthien.irb.hr>; from capica@luthien.irb.hr on Wed, Jun 20, 2001 at 12:15:46PM +0200
References: <20010620121546.A32239@luthien.irb.hr>

On Wed, Jun 20, 2001 at 12:15:46PM +0200, Ivan Capan wrote:
> I have a following setup: Debian with iptables firewalling out
> several computers with routable IP addresses. In order to get
> responses from the net, I had to manually add routing table
> with 'route add -host' for each computer.                          
> 
> routing table is like this:
> host1.domain    *               255.255.255.255 UH    0      0        0 eth1
> host2.domain    *               255.255.255.255 UH    0      0        0 eth1
> host3.domain    *               255.255.255.255 UH    0      0        0 eth1
> localnet        *               255.255.255.0   U     0      0        0 eth0
> localnet        *               255.255.255.0   U     0      0        0 eth1

Why do you have localnet on both interfaces?  Or is this just an
abbreviation?

> default         maingateway     0.0.0.0         UG    0      0 	      0 eth0 
>         (eth0 is outgoing interface, eth1 is local)

You shouldn't need the host routes unless the IP addresses are
not in "localnet/255.255.255.0" as specified in the route to the
local net for eth1.  If this is the case, then why is it the
case?

> The question is: This firewall is supposed to be built in
> front of two C subnets (on a same cable, it's a feature of a
> CISCO ruter, don't ask me   details:). 

If this is what Cisco calls "VLANs" then you might want to have
a look at http://scry.wanfear.com/~greear/vlan/cisco_howto.html

> What kind of routing table must be built? Is it OK to put route
> add -net xxx.yyy.zz1.0 dev eth1
> add -net xxx.yyy.zz2.0 dev eth1 ?

or perhaps:
ifconfig eth1 xxx.yyy.zz1.1
ifconfig eth1:0 xxx.yyy.zz2.1
route add -net xxx.yyy.zz1.0 dev eth1
route add -net xxx.yyy.zz2.0 dev eth1:0

That would work normally, but I don't think that's what you need
if you're using VLANs.  I've never used VLANs under Linux,
though, so don't believe me.  Read the HOWTO :)

> I have a small margin for errors, because there are servers on
> that subnets which must be up 0-24 so I rather ask here before
> doing some nasty things :)

In that case, make sure you know more details about the "feature
of [the] Cisco [router]" and read the Linux VLAN HOWTO if
appropriate.

I hope this helps.

-- 
Michael Wood        | Tel: +27 21 762 0276 | http://www.kingsley.co.za/
wood@kingsley.co.za | Fax: +27 21 761 9930 | Kingsley Technologies

Reply to:

References:
- Routing issues
  - From: Ivan Capan <capica@luthien.irb.hr>

Prev by Date: Adding a 2nd NIC (again)
Next by Date: Re: Adding a 2nd NIC (again)
Previous by thread: Routing issues
Next by thread: Adding a 2nd NIC (again)
Index(es):
- Date
- Thread