Re: rules for 2nd inteface on gateway
On 5 Apr 2005, Steve wrote:
> I'm new to this list and new to firewall so please be kind if any
> question seem obvious.
> Here is my problem. I have a little home lan with one interface
> connected to my modem/router (eth0), another for the lan (ath0,
> wireless) and a third one (eth1) which I use to repair thing when the
> wireless doesn't work (very rarely):
> eth0 : 192.168.1.35 fixed
> ath0: 192.168.20.1 fixed (and two boxes on that network, *.20.2 et
> eth1: 192.168.2.2 fixe
> and I defined two ip aliases on eth1, eth1:1 and eth1:2 as
> eth1:1 : 192.168.10.1
> eth1:2 : 192.168.10.2
> in order to run ntp on them and have my lan get the time from it.
You shouldn't need to create false interfaces addresses in order to run
NTP, or for other machines to sync to that system.
If you read the instructions that said you should have three sources,
and took that to mean you should do this, you missed the point - the
three sources makes sure that if one goes bad, your system can tell.
Having one time source, but pretending it is actually three different
sources, isn't really a good idea.
> Everything work fine until I decided to activate on the gateway the
> iptables. Now, from the internet all of my ports are blocked, as
> desired, I can surf without any problem from any of the 192.168.20.0/24
> boxes, but they cannot access the 192.168.10.0 network and this is were
> my question arises. Which rules do I have to put to get things
You need to add rules to your 'FORWARD' table, permitting those networks
to talk to each other. Something akin to this:
iptables -A FORWARD -i ath0 -o eth1 -s 192.168.20.0/24 \
-d 220.127.116.11/24 -j ACCEPT
You also need the reverse rules - swap the '-i' and '-o', and '-s' and
'-d' options, but otherwise repeat that.
This will permit traffic that matches those rules to pass through.
You might want to consider using some sort of helper script to do this
work for you, though, since they generally give you things like logging
of blocked packets for "free".
Then you could see from those logs what was going on, and why the
connection was failing.
I recommend 'firehol', which takes the hard work out of building
iptables rules, without taking away the flexibility. It reduces the
above code to two lines, for most systems, with a good deal more
capability and functionality.
If you want to make sense...you should never use the world *should* or
*ought* until after you've used the word *if.*
-- Todd Andrews, speaking in John Barth's _The Floating Opera_