Announcement

**Gurm** · 12 March 2003, 12:25

This is a limitation of a lot of Linux. The third network basically makes everything FUBAR. I'm sure there's some way to do it... but I bought a cheap cable/dsl router. Happy I did.

- Gurm

**Pace|Work** · 12 March 2003, 13:21

Anyone know if Solaris would cope better? I'd ask my supervisor, but he's busy

I'm looking to create an exceedingly complicated network, with a Solaris box, a Linux box and some Windows (2000/XP) boxes. My idea is to get web servers running for everything (ASP, PHP, JSP etc)... plus SQL stuff too, and routing, firewalls...

**Slougi** · 12 March 2003, 14:04

Re: Linux as firewall/router...

Originally posted by lindberg
Have been trying for a while with this now but I'm soon about to buy a router if I don't get this solved.

I have a linuxbox with 3 NIC's, one for the WAN/DSL modem and two for my local networks. The problem is when I setup the iptables rules they only accept one destination NIC, so I was wondering: This could probably be solved by routing the two local NIC's in some way perhaps.

Gurus?

How exactly do you want to set it up?

**Byock** · 12 March 2003, 14:33

What are you using the 3rd nic for? 1 for the internet, 1 for internal network, 3rd for ?? Depending on how you are setting it up, you could do several things.

**the maddman** · 12 March 2003, 15:55

Just duplicate the rules for both internal networks, thanks to command line histories, it's not that bad. But more info would be nice, what distro are you running? Network layouts would help too. If you get fancy, look into advanced traffic shaping!

Linux Advanced Routing & Traffic Control HOWTO

http://www.lartc.org

**Ribbit** · 12 March 2003, 15:56

Re: Linux as firewall/router...

Originally posted by lindberg
I have a linuxbox with 3 NIC's, one for the WAN/DSL modem and two for my local networks. The problem is when I setup the iptables rules they only accept one destination NIC, so I was wondering: This could probably be solved by routing the two local NIC's in some way perhaps.

IMHO, playing games with 'routing the NICs' (in quotes because I don't really know what you mean by that) is likely to lead to inconveniences, problems, and perhaps security issues down the line. My advice is to just copy the rules for each local interface.

That said, there are a couple of things which might help. Specifying 'xyz+' as the interface will match any interface with a name that starts with 'xyz'.

There's also the ! (not) operator. So if eth0 is your external interface, and eth1 and eth2 are your internal interfaces, then instead of using one rule for each of eth1 and eth2, you could just use one with '! eth0'. Of course, that would also match the loopback interface, and SLIP or PPP interfaces, etc., but it might be useful to you.

Something else I've just thought of (and I'm just making this up now, so make sure you understand how this works for yourself) would be to define a custom chain for your local network. So something like:

ipchains -N local-accept
ipchains -A local-accept -o eth1 -j ACCEPT
ipchains -A local-accept -o eth2 -j ACCEPT

would create a new chain called local-accept, which will allow packets destined for eth1 or eth2. Then instead of copying an ACCEPT rule for packets you want to pass to the local networks, you can instead have one rule with '-j local-accept'.

Well, it's late and I'm babbling, so I hope the above makes sense and is useful to you.

And I'd like to echo the question: What exactly are you doing/why do you have it set up this way?

**lindberg** · 12 March 2003, 23:29

Originally posted by Byock
What are you using the 3rd nic for? 1 for the internet, 1 for internal network, 3rd for ?? Depending on how you are setting it up, you could do several things.

3rd for internal network as well.

I partly solved the firewall part simply by duplicating rules that were for internal NIC1 for int_NIC2, so I can surf with clients from both internal NIC's now and still be firewalled.

Why do I do this? I use the linuxbox as a firewalled switch, or atleast I want to. Running RedHat 7.1

regarding the "xyz+" thing I tried before, resulting in that my inet-nic got the same rules as the internal -> allow all. Note, I'm using some firewall script and I didn't write the iptables rules myself. And if I remember correctly I once long ago tried the "!xyz" but only resulting in errors when iptables wouldn't accept it.

I'll explain my setup so you can understand a bit better my situation:

Code:

 ------------------                           ------------------
| windoze x.x.0.10 |                         | windoze x.x.1.10 |
 ------------------                           ------------------
           |                                           |
           |                                           |
      ------------------------------------------------------------
     |   x.x.0.1(eth1) Linux RedHat       x.x.1.1 (eth2)          |
     |            inet-nic   1.2.3.4 (eth0)                       |
      ------------------------------------------------------------        
                                 |
                                 |
                         internet (SDSL gateway)

so basically what i want is this:

windoze1 --------
                 \    ----------
windoze2-------------| Firewall |----- internet
                 /    ----------
samba server-----

i.e. a net where these three appear to all be in the same net or atleast "see" each other :)

This is the way it work now, but I don't have the "switch"-function. I want to have the two win-machines on the same net so I could browse the network neighborhood to the other machine. So the firewall/internet share isn't any problem anymore but I lack the "switch" function. I use /24 netmask on all internal NIC's and the external nick is assigned my external ip.

Is there some kind of bridge function or something like that, that I could use. I tried to have ..0.1 and ..0.2 assigned to the internal nic's but that ofcourse only resulted in when pingin with a client to eth2 eth1 tried to answer since it was first nic for the ..0.0/24 net in the route tabel...

edit:thanx wombat

**Wombat** · 13 March 2003, 01:18

Code:

[FONT=courier new]
 -----------------------                       -----------------------
| windoze x.x.0.10 |                    | windoze x.x.1.10 |
 -----------------------                       -----------------------
               |                                                  |
               |                                                  |
      -----------------------------------------------------------
     |   x.x.0.1(eth1) Linux RedHat       x.x.1.1 (eth2)|
     |            inet-nic   1.2.3.4 (eth0)                         |
      -----------------------------------------------------------         
                                        |
                                        |
                                   internet (SDSL gateway)
[/FONT]

Slight help

**Paddy** · 13 March 2003, 01:57

smoothwall ?

**lindberg** · 13 March 2003, 02:13

Smoothwall looks nice, very nice. But overkill? maybe. I'm not to enthusiastic about re-installing a firewal. I already successfully setup my current firewall with port-forwarding and all (for gaming over internet

**Guru** · 13 March 2003, 02:24

Just a moment...

http://www.linux-firewall-tools.com/linux/

http://www.grennan.com/Firewall-HOWTO.html

**Ribbit** · 13 March 2003, 03:54

Originally posted by lindberg
Is there some kind of bridge function or something like that, that I could use.

Yes there is, under 'Networking Options' when you configure the kernel. I haven't used it myself, but it sounds like exactly what you want. Read the help text there for more info.

Although I still don't understand why you don't just have a single internal network...

**lindberg** · 13 March 2003, 04:01

Originally posted by Ribbit
Although I still don't understand why you don't just have a single internal network...

Oh, but that's exactly what I want. I works as it is with seperat networks. You see, that my problem, getting a single net work with two NIC i.e. the linux box will act as switch/hub

**lindberg** · 13 March 2003, 05:53

I guess this is the answer:

Magnux Linux - Bridge + Firewall + DSL Mini-HOWTO: Procedure

http://www.magnux.org/doc/howto/en/mini/Bridge+Firewall+DSL-3.php

linux, linux download, linux windows, linux software, modem linux, linux documentation, linux modem, linux installation, linux how, kernel linux, installing linux, linux installation, linux configuration, programming linux, operating system, unix, linux distribution, brazilian, brasil, brazil, linux security, linux kernel, howto

the software is here

404 Not Found

http://soft.ivanovo.ru/Linux/Bridge/bridgex.tar.gz

just need to set it up then...

Announcement

Linux as firewall/router...

Linux as firewall/router...

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment