Re: ip forwarding setup
On Mon, Dec 25, 2000 at 01:06:45AM -0500, Aaron Solochek wrote:
> Here is the situation: I have a laptop with wireless, and a desktop
> with wireless and regular ethernet.
>
> Lets call the desktop machine A. A has eth0 (ethernet to the rest
> of the world), and eth1 (10.0.10.1, in an adhoc wireless with the
> laptop)
>
> Let the laptop be machine B, with only eth1, 10.0.10.2.
>
> Let there be a machine C, which is the gateway to the world that is
> sitting on the network which machine A's eth0 is part of.
>
>
> What I want to do is get machine B's packets through to machine C.
> Ideally, machine B would have a realworld ip -- a setup where
> machine A listened for 2 real ips, and forwarded all packets for one
> out over its eth1 on the 10.0.10.* network. However, I will settle
> for the easiest solution which allows machine B to be on the
> network.
i've got a debian box 208.33.90.85 attached to the Real World,
which also acts at 192.168.1.1 for my intra-local-net,
and several other machinery 192.168.1.{100,101,102,200} behind it.
for 192.168.1.100 i've got my settings thus:
router address: 192.168.1.1
since *.100 hasta connect to the world through *.1 it treats
192.168.1.1 as its router (and its name server, but that's a
separate part of the puzzle). that is, every packet that
doesn't have some local destination (in this case, not to
ourselves at *.100) gets sent to *.1 for forwarding as
necessary.
pretty straightforward, right? A is on the local net, and B is
on the world-recognized internet. except i've got another node C
in the way!
my ISP doles out two IP numbers for evey customer (which
will eventually be a problem, but it hasn't reached that yet)--
the other address is my actual cable modem at 208.33.90.84;
so everything from my debian machine that's not for a local-net
address, HASTA be routed thru the cablemodem (just like your
desktop routes everything through its gateway):
# /etc/network/interfaces
iface lo inet loopback
# eth0 == local 192.168.*.* intra-net
iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.1.255
# eth1 == connection to cablemodem at *.84, connecting to
# the rest of the world
iface eth1 inet static
address 208.33.90.85
netmask 255.255.255.0
network 208.33.90.0
broadcast 208.33.90.255
gateway 208.33.90.84
# GATEWAY <- there's the key for my debian box
--
so my setup doesn't look like yours at first glance, but turns
out, it's basically identical!
YOU:
laptop -> desktop -> gateway -> internet
ME:
mac -> debian -> cablemodem -> internet
192.168.1.100 -> 192.168.1.1
= 208.33.90.85 -> 208.33.90.84 -> internet
i HIGHLY recommend doing
apt-get install ipmasq
on all your debian boxes, and set up your laptop to use your
desktop as its router (gateway) and then set your desktop to use
your localnet gateway as its default -- and you should be all set!
> I've read a million howto's, and I had a setup working a few months
> ago, but it was doing so masqurading.
on my linux/debian 208.33.90.85 i've got
% ipmasq -d
Interfaces found:
eth0 192.168.1.1/255.255.255.0
eth1 208.33.90.85/255.255.255.0
/sbin/ipchains -P input DENY
/sbin/ipchains -P output DENY
/sbin/ipchains -P forward DENY
/sbin/ipchains -F input
/sbin/ipchains -F output
/sbin/ipchains -F forward
/sbin/ipchains -A forward -j ACCEPT -s 192.168.1.1/255.255.255.0 -d 192.168.1.1/255.255.255.0
/sbin/ipchains -A forward -j ACCEPT -s 192.168.0.1/255.255.255.0 -d 192.168.1.1/255.255.255.0
/sbin/ipchains -A forward -j ACCEPT -d 192.168.0.1/255.255.255.0
/sbin/ipchains -A forward -j ACCEPT -s 192.168.1.1/255.255.255.0 -d 192.168.1.1/255.255.255.0
/sbin/ipchains -A input -j ACCEPT -i lo
/sbin/ipchains -A input -j DENY -i ! lo -s 127.0.0.1/255.0.0.0 -l
/sbin/ipchains -A input -j ACCEPT -i eth0 -s 192.168.1.1/255.255.255.0
/sbin/ipchains -A input -j DENY -i eth1 -s 192.168.1.1/255.255.255.0 -l
/sbin/ipchains -A input -j DENY -i eth1 -s 192.168.1.1/255.255.255.0 -l
/sbin/ipchains -A input -j ACCEPT -i eth1 -d 208.33.90.85/32
/sbin/ipchains -A input -j ACCEPT -i eth1 -d 208.33.90.255/32
/sbin/ipchains -A forward -j MASQ -i eth1 -s 192.168.0.1/255.255.255.0
/sbin/ipchains -A forward -j MASQ -i eth1 -s 192.168.1.1/255.255.255.0
/sbin/ipchains -A output -j ACCEPT -i lo
/sbin/ipchains -A output -j ACCEPT -i eth0 -d 192.168.1.1/255.255.255.0
/sbin/ipchains -A output -j ACCEPT -i eth0 -d 224.0.0.0/240.0.0.0 -p ! tcp
/sbin/ipchains -A output -j DENY -i eth1 -d 192.168.1.1/255.255.255.0 -l
/sbin/ipchains -A output -j DENY -i eth1 -d 192.168.1.1/255.255.255.0 -l
/sbin/ipchains -A output -j ACCEPT -i eth1 -s 208.33.90.85/32
/sbin/ipchains -A output -j ACCEPT -i eth1 -s 208.33.90.255/32
echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -A input -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A output -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
/sbin/ipchains -A forward -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 -l
% route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
208.33.90.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 208.33.90.84 0.0.0.0 UG 0 0 0 eth1
so everything that's not specifically for a 192.168.* localnet address,
or on the isp's local network, all other packets go thru the
*.84 node and run amok across the world wild net.
--
There are only two places in the world where time takes
precedence over the job to be done. School and prison.
--William Glasser
will@serensoft.com *** http://www.dontUthink.com/
volunteer to document your experience for next week's
newbies -- http://www.eGroups.com/messages/newbieDoc
Reply to: