[olug] iptables behind router
William E. Kempf
wekempf at cox.net
Tue Sep 14 11:48:27 UTC 2004
On Tue, September 14, 2004 11:43 am, Daniel Linder said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> <quote who="William E. Kempf">
>> On Tue, September 14, 2004 10:36 am, John Dickson said:
>>> Hey, I have an idea. Multihome the single nic on COMP A with more than
>>> one
>>> network/subnet. One IP from your Wireless router network and another IP
>>> from a different network common to the other boxes. And so on.....
>>
>> I'm not familiar with "multihome"ing, and Google Searching isn't being
>> overly helpful at the moment. Several hits, but to nothing that's
>> helping
>> me relate this concept to the problem at hand.
>
> "Multi-homing" is the act of connecting a single computer into two or more
> different networks. You can do this with multiple NICs, or you can assign
> multiple IP addresses to the same NIC. Linux lets you put multiple IP
> addresses on the same NIC so you can do things like routing with only a
> single card.
>
> In this case, you could setup your Linux box with two IP addresses on the
> same card but in different subnets. For example, if your Linksys/DLink
> router has an internal address of 192.168.0.1 with a /24 (255.255.255.0)
> netmask, then you could configure your Linux box as such:
>
> ifconfig eth0 192.168.0.2 netmask 255.255.255.0
> ifconfig eth0:0 192.168.1.1 netmask 255.255.255.0
> ip route add default via 192.168.0.1
>
> You will then have to setup your test workstations with a 192.168.1.X
> network address and set their default gateway as 192.168.1.1.
>
> This way you can have machines that are logically behind the Linux box,
> but are still plugged into the same physical hub as everything else (save
> the cost of a hub/switch).
OK, that clears up a lot. Something to think about. I need to figure out
the pros/cons of this approach before I go through the effort.
> If the Linux box breakes, just have the clients use DHCP and get an
> address from your router and they should start working again. :)
>
>>> All of your port forwarding and DMZing is limited in the wireless
>>> device.
>>> Not so in your Linux box. Let it flow (confined to only the services
>>> you
>>> expect to traffic) to the tux box and control services direction from
>>> there.......
>>
>> That's precisely what I'm trying to do (though I set the Tux box as a
>> DMZ,
>> so as not to have to deal with forwarding specific ports... why have to
>> configure things in two places?). What I don't understand is how
>> "multihome"ing will help me here.
>
> I think the problem started when you said the "router" was limited to only
> having a single DMZ IP address and only a limited number of ports to
> forward -- mine has that same problem (limited to five pre-defined ports
> such as http, https, smtp, and telnet !!!).
Well, the Linksys isn't limited in that way. The Web UI just has 5
entries for port ranges and the IP to route them to. So the ports aren't
pre-defined, and can be specified as ranges instead of single ports. For
most people, this is plenty, but in my case it's still too limiting.
> What needs to be done in your case is to actually swap the Linux box and
> the router so that Linux can do the bulk of the work, and let the router
> just handle the wireless stuff. Since you are new to TCP/IP networking,
> the most stable solution for you while in the learning phase is to leave
> the router alone and just setup a multi-homed Linux box and logically move
> your test workstation(s) to that second network. [Note: If you're like
> me, your wifes' computer will just use the DHCP from the router and go
> straight out there bypassing the Linux system -- just in case it goes down
> during testing! This way you always have a system that can get back out
> to the Internet to search for solutions or ask the OLUG for more input. :)
> ]
Yes, this does sound like a nice solution, but what are the draw backs to
this configuration? ;)
> If it helps to understand the routing a bit more, you might want to
> purchase an inexpensive 4-port switch/hub and a second NIC for the Linux
> box. Then you can setup your own network behind the Linux box and don't
> have to worry about the router or getting over the logical/physical
> disconnect.
Yeah, but I'm a cheap bastard, or I'd just risk hacking the router. :)
> Is this any clearer now or did I just muddy the waters?
No, this explained a lot. Thanks.
--
William E. Kempf
wekempf at cox.net
More information about the OLUG
mailing list