On Mon, 08 Dec 2003 22:53:52 -0500, Rusty Phillips <(E-Mail Removed)> wrote:
> The internal interface has the same netmask as the public external one
> (which works). Actually, all the conditions you described are true -
> except the netmask of 255.255.255.255, which makes it impossible
> to reach the gateway from the external interface at all.
A netmask of 255.255.255.255 is not a problem for your public interface if
you have a -host route to its gateway. My ISP does that automatically for
my pppoe, and for dialup ppp, the gateway is usually not even in a related
network. Since the only IP you need to directly access on your public
interface is the gateway, the only routes necessary on that interface are
host route to your gateway and that gateway as default route.
> I actually guarantee that packets bound for those
> computers (or from them) get there by manipulating the routing table with
> "route." Or am I wrong? Isn't that what you do with that?
Scripted (or manual) route commands can work around conflicting
interfaces. But it is more automatic if interfaces have correct netmasks
for desired routing. For example it does not make sense to configure eth0
with netmask 255.255.255.248 if that block of IPs are on eth1 (or eth1:0).
> At the moment, I've gotten it working by removing the second subnet on the
> ethernet card and using NAT on the public as well as the private
> interfaces. This is not my ideal solution, since the public addresses
> have to experience all the disadvantages that come with NAT, but at least
> it works.
1 to 1 NAT is a possiblity (associate each public IP with a private IP),
which I think can be done with just iptables rules, but I have not done
that.
> To use Suse firewall, I'd have to give up all the advantages offered by
> Gentoo. I'll pass on that. Also, I don't want to DMZ my public
> computers; I'm using a computer for the awesome firewall - otherwise I'd
> use a cheap consumer router.
DMZ in Linux does not necessarily imply the same thing as DMZ on cheap
consumer routers (all ports to an IP). SuSEfirewall2 uses DMZ to refer to
public IPs, but you can still control what ports/protocols are allowed
to/from there, or between there and private LAN. But public/private
traffic is easier to control on different physical interfaces. I recently
downloaded Gentoo, but have not had a chance to install it yet.
> On Tue, 09 Dec 2003 01:57:43 +0000, David Efflandt wrote:
>
>> On Mon, 08 Dec 2003 12:51:03 -0500, Rusty Phillips <(E-Mail Removed)> wrote:
>>> I have a computer that serves as a router for six other computers.
>>>
>>> It has it's own public IP address, and four of the six other
>>> computers also have their own public addresses (all on the same
>>> subnet).
>>>
>>> The other two computers have private addresses, and I use a
>>> firewall script called gShield to do the routing and NAT. Supposedly
>>> it also has support for public addresses, which I have enabled.
>>>
>>> I've also manually added routes (using route) to the public addresses to
>>> go through the internal interface.
>>>
>>> I have the internal interface set up with two addresses -
>>> the first address (normally the gateway) for both subnets.
>>> At the moment, the private addresses work completely, but while
>>> the publicly addressed computers are only able to ping all of the NICs on the
>>> internal network (and the external interface which connects to
>>> the net), and they cannot access anything beyond.
>>>
>>> Does anyone have any thoughts about what I'm doing wrong, or what I'm
>>> missing?
--
David Efflandt - All spam ignored
http://www.de-srv.com/
Similar Threads
Linear Mode
