3 multi-homed

I have 3 network cards on my system and I want to be able to forward
from LAN0 eth0 to LAN1 eth1 and LAN0 eth0 to LAN2 eth2 but not LAN1
eth1 to LAN2 eth2. I added a rule in iptables to stop forwarding from
the IP address on eth1 to eth2.
But I started looking at ethereal packets to determine how I was
getting from LAN1 to LAN2 and the ethereal output indicated that I was
going through eth0.
I'm sure that I can probably fiddle around with iptables until I can
stop this, but is there a way configure routes more explicitly to
prevent this action.

I guess a good addendum to my question is:
Is there a way to prevent forwarding in the route tables. I was
thinking that this might be more efficient than using the route tables.

(E-Mail Removed) wrote:
> I have 3 network cards on my system and I want to be able to forward
> from LAN0 eth0 to LAN1 eth1 and LAN0 eth0 to LAN2 eth2 but not LAN1
> eth1 to LAN2 eth2. I added a rule in iptables to stop forwarding from
> the IP address on eth1 to eth2.
> But I started looking at ethereal packets to determine how I was
> getting from LAN1 to LAN2 and the ethereal output indicated that I was
> going through eth0.
> I'm sure that I can probably fiddle around with iptables until I can
> stop this, but is there a way configure routes more explicitly to
> prevent this action.

Are you running NAT on this setup? Do you have the default policy set
to Drop? Are you specifiying both interfaces when you are forwarding?

Please post the result from: iptables -v -L FORWARD

Yes, I have both SNAT configured for both the LAN1 and LAN2 networks to
LAN0

Once I added the following lines the packets no longer indicated a
source from the EXTIP
$IPT -t nat -A POSTROUTING -s 192.168.2.0/24 -d \! 192.168.1.0/24 -j
SNAT --to-source $EXTIP
$IPT -t nat -A POSTROUTING -s 192.168.1.0/24 -d \! 19.168.2.0/24 -j
SNAT --to-source $EXTIP

But I still had routing occurring across LAN1 to LAN2

I was able to get this to stop by placing a DROP in the chain
OUT_NETWORK so that source 192.168.1.0 to destination 192.168.2.0 and
vice versa were dropped.

The OUT_NETWORK chain is called at the beginning of the FORWARD chain.
There are 4 lines in my FORWARD chain (** in front) that I am not quite
sure why they are there. I'll have to investigate these further to
determine whether I actually need them, but right now they don't make
sense to me.


Following is the result of iptables -v -L FORWARD

Chain FORWARD (policy DROP 4 packets, 200 bytes)
pkts bytes target prot opt in out source
destination
728K 408M SHUN all -- any any anywhere
anywhere
392K 351M IN_NETWORK all -- eth0 any anywhere
anywhere
0 0 OUT_NETWORK all -- eth2 any anywhere
anywhere
336K 56M OUT_NETWORK all -- eth1 any anywhere
anywhere
**2 96 ACCEPT tcp -- eth1 eth0 192.168.1.0/24
anywhere tcp spts:1024:65535 dpt:rtsp state NEW
**0 0 ACCEPT tcp -- eth0 eth1 192.168.1.0/24
anywhere tcp spts:1024:65535 dpt:7070 state NEW
**0 0 ACCEPT tcp -- eth1 eth0 192.168.1.0/24
anywhere tcp spts:1024:65535 dpt:7071 state NEW
**0 0 ACCEPT udp -- eth0 eth1 anywhere
192.168.1.0/24 udp spts:1024:65535 dpts:6970:7170
1450 81472 LOG all -- any any anywhere
anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT
FORWARD DROP: '
15785 898K DROP all -- any any anywhere
anywhere

Thanks for the command line help. Definitely helped clear the forrest
from the trees.

Is there anyway to actually adjust or change my routing table to
prevent forwarding from eth1 to eth2 and vice versa? Or is it just
impractical to do that?

(E-Mail Removed) wrote:
> I have 3 network cards on my system and I want to be able to forward
> from LAN0 eth0 to LAN1 eth1 and LAN0 eth0 to LAN2 eth2 but not LAN1
> eth1 to LAN2 eth2. I added a rule in iptables to stop forwarding from
> the IP address on eth1 to eth2.
> But I started looking at ethereal packets to determine how I was
> getting from LAN1 to LAN2 and the ethereal output indicated that I was
> going through eth0.
> I'm sure that I can probably fiddle around with iptables until I can
> stop this, but is there a way configure routes more explicitly to
> prevent this action.

Since you need ip_forward=1 you are discovering one of the effects of
the weak ES model that Linux uses. Ie., the addresses belong to the
_host_ and _not_ to the nic despite what networking utils would lead
you to believe ;-)

You can (already have in other post?) address this with netfilter rules
but it's messy and may prove to be difficult to maintain.

Your best solution, IMHO, is to use multiple routing tables and route
selection rules. Since you're the one that will maintain it, I will
for now suggest you look at these to see if you want to go that way for
a solution. It can be a bit confusing at first :-)

http://www.policyrouting.org/PolicyR...NLINE/TOC.html
especially
http://www.policyrouting.org/PolicyR...5.web.html#5.5

It helps to have handy a copy of this:
http://snafu.freedom.org/linux2.2/do...f/ip-cref.html

Also available here with another useful ref:
http://linux-ip.net/gl/ip-cref/
http://linux-ip.net/html/

Multiple routing tables are not that hard to manage once you get your
head around them.

good luck,
prg

You could use policy routing to do that, but its simpler just to use
iptables. Just search for linux policy routing on google.

With normal routing there is just one table that is not really aware of
which interface that the packets come from. You could mess with the
netmask, set it to 255.255.0.0 on the clients, then they would not
beable to reach anything on 192.168.* unless its inside the same
broadcast domain(same vlan/switch/hub). But someone could still
override the netmask in the dhcp settings and connect to host on the
other subnet via the gateway without the iptables filtering or policy
routing.

One thing you have to keep in mind with iptables is that the rules are
processed in order, so you need to drop what you don't want before you
accept everything else.

You might want to review all your tables if you haven't figured it out
already: iptables -v -L and iptables -t nat -v -L

You can also use -vv to get an even more detail.

(E-Mail Removed) wrote:
> You could use policy routing to do that, but its simpler just to use
> iptables. Just search for linux policy routing on google.
>
> With normal routing there is just one table that is not really aware of
> which interface that the packets come from. You could mess with the
> netmask, set it to 255.255.0.0 on the clients, then they would not
> beable to reach anything on 192.168.* unless its inside the same
> broadcast domain(same vlan/switch/hub). But someone could still
> override the netmask in the dhcp settings and connect to host on the
> other subnet via the gateway without the iptables filtering or policy
> routing.
>
> One thing you have to keep in mind with iptables is that the rules are
> processed in order, so you need to drop what you don't want before you
> accept everything else.
>
> You might want to review all your tables if you haven't figured it out
> already: iptables -v -L and iptables -t nat -v -L
>
> You can also use -vv to get an even more detail.

Thanks again appreciate the information.

Thanks I really appreciate the information. I'm sure somewhere in
there I'll find my answer and gain another clue to policy routing.

This must be my lucky net day. 2 informative answers from a question.

Thanks again.

[I may be dull, but I'll catch on soon ]