From Cole Ragland
Answered By Mike Orr
I have a Slackware machine acting as a gateway/router between two separate networks e.g. 172.29.17.0 and 10.10.3.0. This machine is mulithomed with eth0=172.29.17.19 and eth1=10.10.3.10. Packets from the 10.10 .3 network cannot get passed eth0. I've enable ip forwarding e.g. "echo 1 ip_forward" but I believe that is only for routing between subnets. How can I route between two separate networks. I'm thinking ip_chains, ipmasq, and routed (which I have to fire up manually -- if I uncomment rc.inet2 lines, machine stalls at boot) but not sure. Thanks for your help.
[Mike] If your internal network had public IPs, you would need only IP forwarding. However, 10.x.x.x IPs are reserved for private networks, and Internet routers automatically reject them. So even if your request does go out, there's no way for replies to get back to you. The trick is to use IP Masquerading.
If you're using kernel 2.2.x, the minimal commands required in your startup scripts are:
echo "1" > /proc/sys/net/ipv4/ip_forward # Enable forwarding between eth0 and eth1. /sbin/ipchains -P forward DENY # Forbid all other types of forwarding. /sbin/ipchains -A forward -s 10.0.0.0/8 -j MASQ # Forward and masquerade requests from 10.x.x.x and handle replies back
This will handle ordinary TCP services. FTP, ping, irc, CuSeeme, Quake also require additional modules in order to be masqueraded.
You can also build a more elaborate ipchains ruleset to customize security.
- A similar thread is in last month's The Answer Gang.
|1 2 3 4 5 6 7|