[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Setup of Internal Network with Many Real IPs

Hello Again All,

Thanks for your helpful replies, Blars' article in particular was
interesting.  However, I sat down and had a good think about it, and I
think I've come up with a simple solution that doesn't require any
messing with the 'ip' command.

My current firewall router NATs into and
back, I want to keep this, so no changes here are neccessary, however,
for passing traffic for 235 and 236 I figure I can simply install
another network card in the machine then go:

    INET_IFACE="eth0"           # internet
    VIT_IFACE="eth1"            # 235 and 236 traffic

    iptables -A FORWARD -p all -i $INET_IFACE -o $VIT_IFACE \
        -d $VIT_IP1,$VIT_IP2
    iptables -A FORWARD -p all -i $VIT_IFACE -o $INET_IFACE \
        -s $VIT_IP1,$VIT_IP2 -d 0/0

And if I configure eth1 without an IP address (or any IP on the same
subnet), then I can just configure each machine at the end of to use my ISPs gateway as their gateway --- my
firewall will be (sort of) transparent.  Does this make sense?

I have setup a transparent ethernet bridge firewall before (on the same
network in fact), because I wanted an "invisible" firewall between our
ISPs router and our other machines.  However, I have noticed something
that I didn't notice before, my transparent ethernet bridge firewall
doesn't have more than one IP aliased to either of it's interfaces, even
though it's handling traffic for 12 IPs.  This indicates that Iptables
rules are are checked against any incoming packet regardless of what IP
is assigned to the interface.  This would suggest that assigning IPs to 
interfaces on routers / bridges / firewalls with Iptables is only
neccessary if you want to access the firewall machine itself.  Correct?
Aliasing more than one IP to the external interface is always
uneccessary, because you can just setup and Iptables rule for it,
whether in the INPUT or FORWARD chain.  This is why I believe that the
above description will work --- I haven't had time to test it yet, but
am I correct in theory?

Here's a picture:

                            |  ISPs router  |
                                    * transparent bridge
                            +---------------+ [eth0]
                            |   my router   |
                     [eth1] +---------------+ [eth2]
                            |               |
                        +---'               `---+
                        |                       |
                        |                       |
                    +---+---+                   `--- LAN
                    |       | ---'       `---


If I'm not mistaken, eth1 doesn't need an IP address.  My only concern
now is, how will 235 and 236 be able to find 237 and vice-versa?  That
will require more Iptables rules to route that traffic, correct?

Sorry for the long rambling post, I don't know anyone personally who I
can ask.



Reply to: