| View previous topic :: View next topic |
| Author |
Message |
nove
n00b
Joined: 01 Oct 2004
Posts: 20
|
 Posted: Fri Nov 25, 2005 6:24 am Post subject: routing - firewall different subnet |
 |
|
Hi,
ive got a problem. my router/firewall is on a different subnet then the clients!
Subnets:
1.)132.147.150.xxx
2.)132.147.151.xxx
3.)132.147.160.xxx
Subnet Mask 255.255.0.0
(Dont blame me for the Adress ranges of that network, that was the crime of my forrunner)
The Router
192.168.0.254 SubnetMask 255.255.255.0
The Firewall:
eth0=132.147.151.254 Subnet Mask 255.255.0.0
eth1=132.147.151.3 Subnet Mask 255.255.0.0
my firewall script is as simple it could be:
| Code: |
#!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='eth0'
INTIF1='eth1'
# enable ip forwarding in the kernel
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
# enable masquerading to allow LAN internet access
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT
# forward LAN traffic from $INTIF2 to Internet interace $EXTIF
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
|
my /etc/conf.d/net
| Code: |
config_eth0=( "132.147.151.254 netmask 255.255.0.0" )
routes_eth0=( "default gw 192.168.0.254" )
config_eth1=( "132.147.151.3 netmask 255.255.0.0" )
|
is there an easy way to route from one subnet to the other? |
|
| Back to top |
|
 |
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Fri Nov 25, 2005 7:57 am Post subject: |
|
|
You cannot have a router that has no IP on your subnet.
Besides, what kind of router would that be with only one IP address!?
Could you please give more details on your setup -- I don't get it...
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
nove
n00b
Joined: 01 Oct 2004
Posts: 20
|
| Posted: Fri Nov 25, 2005 8:40 am Post subject: |
|
|
| its an simple Hardware-Router with one IP Adress |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Fri Nov 25, 2005 9:09 am Post subject: |
|
|
So I assume you simply don't know what a router does, do you?
A router trasmits packets between subnets. So per definition it must have at least two interfaces with two IP addresses. One in each subnet. In your special case I see you have two subnets:
1. 132.147.0.0/16 (your LAN I assume). The gateway address in not in this net, so no routing is possible!
2. 192.168.0.0/24 (the LAN subnet of your router). Let's assume further it has some public IP on the outbound interface.
Again, I have no idea how your FW and router are connected. But judging from what you posted it's a total mess.
Please elaborate.
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
misc
Tux's lil' helper
Joined: 09 Sep 2003
Posts: 109
|
| Posted: Fri Nov 25, 2005 9:41 am Post subject: |
|
|
And why have you got eth0 and eth1 in the same subnet? Doesn't make sense...
You say you have three subnets with a /16 - they're all on the same subnet as each other. If it was a /24 then that sounds more like it. |
|
| Back to top |
|
|
lesourbe
l33t
Joined: 24 Nov 2005
Posts: 710
Location: Champagne !
|
| Posted: Fri Nov 25, 2005 10:52 am Post subject: |
|
|
that seems unclear ...
so let's state that a subnet mask like 128.0.0.0 on every piece of hardware should do the job.
well, I DO NOT recommend it ...
---
the net address of your lan is 132.147.X.X --- the 3 LAN are on the SAME network, unless you change the subnet mask of them to /24 (255.255.255.0)
There MUST be a piece of hardware on the same network than your LAN(s) for routing sake.
nove, you should try to draw us a map of your network ... with the NIC and their addresses.
_________________
Is that a banhammer ?
LeSourbe, Member of EPowerforce. |
|
| Back to top |
|
|
nove
n00b
Joined: 01 Oct 2004
Posts: 20
|
| Posted: Fri Nov 25, 2005 4:52 pm Post subject: |
|
|
no there isnt a other piece of any hardware in this network. The Router is normaly on the Adress of the Firewall. And normaly (but plz dont tell to anyone) there isnt a firewall. My plan is to migrate all of the client to the 192.168.xxx.xxx network (a private one not the one of SCO). But for some reasons i cant do that at once so i have to decide where to begin. Therefor i want to start with the firewall and the router. The Router i want to change from 132.147.151.3 to 192.168.0.254, the firewall has two interfaces eth0 with the IP 192.168.0.253 and eth1 with the IP 132.147.151.3
The rest of the network is like the description above.
The Problem is that the internal routing in the firewall from eth1 to eth0 and inverse does not work.
if i put one client(192.168.0.1 Gateway: 192.168.0.254), the firewall(eth0=192.168.0.2,eth1=192.168.0.254) and the router(as default gateway in the firewall on 192.168.0.15 in one subnet it works fine, because they are all in the same network.
But i want that the firewall translate from one net to the other. |
|
| Back to top |
|
|
lesourbe
l33t
Joined: 24 Nov 2005
Posts: 710
Location: Champagne !
|
| Posted: Fri Nov 25, 2005 5:20 pm Post subject: |
|
|
well I am puzzled ... sorry ...
will you mind to draw some map of your network ?
_________________
Is that a banhammer ?
LeSourbe, Member of EPowerforce. |
|
| Back to top |
|
|
nove
n00b
Joined: 01 Oct 2004
Posts: 20
|
|
| Back to top |
|
|
lesourbe
l33t
Joined: 24 Nov 2005
Posts: 710
Location: Champagne !
|
| Posted: Sat Nov 26, 2005 7:35 am Post subject: Re: routing - firewall different subnet |
|
|
Cheers !
well the question was:
| nove wrote: | | is there an easy way to route from one subnet to the other? |
you won't have to route between your lan subnet cause their are all in the same network
but I suspect what you really want to know is:
if you want to migrate your LAN from 132.147.X.X to 192.168.X.X not at the same time...
I bet you'll have to add a nic to your firewall... there s no way for you to end without a router with 3 nics (well unless it becomes complicated  )
_________________
Is that a banhammer ?
LeSourbe, Member of EPowerforce. |
|
| Back to top |
|
|
tuxmin
l33t
Joined: 24 Apr 2004
Posts: 838
Location: Heidelberg
|
| Posted: Sat Nov 26, 2005 7:36 am Post subject: |
|
|
You have to NAT all outbound traffic from 132.147.0.0/16 to eth0 on your
Firewall. Apparently your Router only NATs addresses from 192.168.0.0/16
What happens is that your packets from 132.147.0.0/16 pass your router
but the replies get routed to the real net which is owned by SCO according
to whois! Hence any connection fails...
OK, I guess SCO doesn't have much sympathy in the Linux community but
you better switch to public addresses as soon as possible, as no real IP
within this range is reachable from your LAN.
Alex!!!
_________________
ALT-F4 |
|
| Back to top |
|
|
|
Networking & Security
