2 internet connections and iptables/masquerade

[NrG]

I have a Gentoo box which I use as firewall/router.
Currently I’m only using a cable modem to access the internet so the config is pretty standard. A few weeks ago we got a new leased line from WorldCom that should give us a better connection between EU and TW. We want to use the cable modem for all traffic (gateway) and the new leased line for all traffic that should go to TW. At first I just setup a second machine to route all the traffic that should go to TW over the new leased line but this is not the way I would like to see it done. That’s why I put in an extra nic into my main firewall/router and connected the new leased line to this one. After I added the routes for Taiwan to go over the new line I tried pinging them and it seems to work great on the firewall/router. But the internal machines behind the firewall/router cant. I guess this has something to do with iptables but I can't figure out how to fix it.

I hope someone can help me out here.

Thx

NrG

[splooge]

I'm not sure but I don't think you need iptables, unless you have an iptables configuration that might be blocking the routing.

Your gentoo box knows how to get to all networks that is directly attached to. If you need it to find another network, you put in a route line that tells it how to get elsewhere.

For example, from the installation guide:

/sbin/route add -net default gw $GTWAY netmask 0.0.0.0 metric 1

The above line routes all traffic to the default gateway, a.k.a. The Internet. If you want traffic to go elsewhere, you need to insert an additional route statement, replacing $GTWAY with the IP address on the other side of your new leased line.

[local network] - [network inbetween] - [remote network]
10.1.1.0 - 10.1.2.1, 10.1.2.2 - 10.1.3.0

For your local network to get to the remote network add this line to your route (doing from memory so this might be a little off)

/sbin/route add -net 10.1.3.0 gw 10.1.2.2 netmask 255.255.255.0

And for the remote network to find its way back, add this line to the remote machine's route table:

/sbin/route add -net 10.1.1.0 gw 10.1.2.1 netmask 255.255.255.0

Hope that helps.

[NrG]

Thx for you fast reply.

I do not completely understant your reply.

I do not need Iptables in my router/firewall?

That would sound a bit strange. Im sure i need to have NAT functionality to be able to acces the internet from my local lan. This cant just be done with routing.

Let me try to make type here my situation:

eth0 = 212.1.1.2 (gw=212.1.1.1)
eth1 = 10.1.1.1
eth2 = 193.1.1.2 (gw=193.1.1.1)

Default gateway = 212.1.1.1

This route is added for routing everyting to taiwan over eth2

route add -net taiwanip netmask 255.255.255.255 gw 193.1.1.1

The default gateway on the clients pc's are all 10.1.1.1
So all traffic should automaticly go to my firewall/router and my router knows where to route to.

The only problem (i think) i have is that my firewall script is based on only eth0 and eth1. Masquerade works between eth0 and eth1 but how do i get it to work also for eth0-eth2?

It could be that im completely wrong about this masquerade thing but this just sounds logical to me.


NrG

[splooge]

I'm sorry, but I am too unfamiliar with iptables to come up with a working example for you, but you're right, you need NAT for your clients to access the internet through the gentoo box. You however don't need nat to get the routing working.

There's a firewall script on projectfiles.com (http://projectfiles.com/firewall) which will allow you to setup a DMZ on a different network card. This might be what you're looking for.

[humpback]

In you firewall scripts you have something like:
iptables --table nat --append POSTROUTING --out-interface eth0 --jump MASQUERADE
Have you tried adding the the same thing for eth2 (the TW nic) ?
_________________
Gustavo Felisberto
Humpback @ #gentoo-pt
------------
It's most certainly GNU/Linux, not Linux. Read more at
http://www.gnu.org/gnu/why-gnu-linux.html .
-------------

[NrG]

LOL

Thx humpback that was exactly what i was looking for.
I already tried this ones but i forget to specify the correct table (NAT).
So when i issued the command i got:

firewall root # iptables -A POSTROUTING -o eth2 -j MASQUERADE
iptables: No chain/target/match by that name.

hehe now i know what i did wrong and it works.

thx you both for helping out here.

NrG