a little help on iptables

Hi all,
this is the situation: I've got a firewall double-homed, with a NIC assigned
to a public IP and the other to the LAN network. Until now I've used the
external NIC as default gateway, since my router has a public address too.
Now I'd like to use another router on the lan as default, leaving untouched
the external interface (since the firewall must be accessible from the
outside world). So I've changed the default gw to the lan one, and it works,
but I get the external ip unreachable, and I think it's because it does not
know the gateway interface. So, how can I specify for the external interface
the gateway to use? If I try to do it thru the route command it replies sayng
that the network is unreachable. Any help?
Thanks,
Luca
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: a little help on iptables

Hi Luca

It could be easier to give you a hand if you provides us with the
output of: ifconfig; route -n and iptables -L (and iptables -L -t nat)

you call always try to execute the following:
route add default gateway x.x.x.x netmask y.y.y.y ethX
for the default gateway and:
route add -net z.z.z.z netmask k.k.k.k dev ethY
for the other route

Hope it helps

Andre Serralheiro

On 9/7/06, Luca Ferrari wrote:
> Hi all,
> this is the situation: I've got a firewall double-homed, with a NIC assigned
> to a public IP and the other to the LAN network. Until now I've used the
> external NIC as default gateway, since my router has a public address too.
> Now I'd like to use another router on the lan as default, leaving untouched
> the external interface (since the firewall must be accessible from the
> outside world). So I've changed the default gw to the lan one, and it works,
> but I get the external ip unreachable, and I think it's because it does not
> know the gateway interface. So, how can I specify for the external interface
> the gateway to use? If I try to do it thru the route command it replies sayng
> that the network is unreachable. Any help?
> Thanks,
> Luca
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: a little help on iptables

Its a little hard to understand what you want exactly. Why do you want
to keep both internet connections? Is it not possible to forward a port
from the new gateway to your firewall? Why must your firewall use a
different internet connection (ie why cant you connect the new
connection directly to your firewall)?

If you _really_ must have:
-LAN traffic use your firewall as the default gateway, which then
forwards the traffic to the new router
-Firewall use the old router for its own internet
Then your only option that I can think of is to use policy routing.
Basically on your firewall do something like:
ip rule add from x.x.x.x/z table 100
ip rule add to x.x.x.x/z table 100
ip route add x.x.x.x/z via i.i.i.i table 100
ip route add default via z.z.z.z table 100
Where:
x.x.x.x/z = your LAN
i.i.i.i = your firewall's LAN IP
z.z.z.z = your new router in the LAN

But your situation must be somewhat unusual if you really need to do this.

urgrue

Luca Ferrari wrote:
> Hi all,
> this is the situation: I've got a firewall double-homed, with a NIC assigned
> to a public IP and the other to the LAN network. Until now I've used the
> external NIC as default gateway, since my router has a public address too.
> Now I'd like to use another router on the lan as default, leaving untouched
> the external interface (since the firewall must be accessible from the
> outside world). So I've changed the default gw to the lan one, and it works,
> but I get the external ip unreachable, and I think it's because it does not
> know the gateway interface. So, how can I specify for the external interface
> the gateway to use? If I try to do it thru the route command it replies sayng
> that the network is unreachable. Any help?
> Thanks,
> Luca
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html