Re: [interfaces + route] My new firewall doesn't forward packages
On Wed, Jun 05, 2002 at 11:23:09AM +0200, Davi Leal wrote:
> > > iface eth0 inet static
> > > address 194.224.7.9
> > > iface eth1 inet static
> > > address 194.224.7.10
>
> We own a ClassC network, 194.224.7.0. We offer an ISP service here at Spain:
>
>
> Intenet
> |
> |
> Gateway; Cisco: 194.224.7.1
> |
> |
> | 194.224.7.9
> Firewall
> | 194.224.7.10
> |
> |
> ----------------------------------------------------------------- LAN
> | | |
> 194.224.7.3 194.224.7.2 10.128.114.2.2 (Radius) etc.
1- your firewall have 2 interfaces in the same subnet.
2- so your firewall dont know where the hosts are.
Possible solutions:
first one
on the cisco: change the ethernet ip to a private one 192.168.1.1
and make a static route to your Class C network throught your
firewall eth0 IP (192.168.1.2)
on the firewall: eth0 192.168.1.2
eth1 194.226.7.1; 10.128.114.2.1;
route add default gw 192.168.1.1
the rest of masquerading for 10.128....
your firewall rules...
On all your hosts: route add default gw 194.226.7.1
or route add default gw 10.128.114.2.1
where corresponds.
Second one:
Specially if you can not change the cisco.
on the firewall: in this order do
eth1 = 194.226.7.9
eth0 = 194.226.7.9
# eth0 and eth1 have the same IP 194.226.7.9
rotue add -host 194.226.7.1 dev eth0
# do the same for all hosts that are connected to eth0
# and the trick is:
for i in /proc/sys/net/ipv4/conf/*/proxy_arp
do
echo 1 > $i
done
add 10.128.114.2.1 IP to eth1
do the masquerading for 10.128... net
add firewall rules.
on all hosts:
route add default gw 194.226.7.1
or route add default gw 10.128.114.2.1
--
Carlos Barros.
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: