Help needed for a box with 4 Ethernet Interfaces

Dave Johnson davejohnson_hifi at yahoo.com
Thu Aug 4 19:24:48 CEST 2005


Derick:

Thanks very much for your response. However as I mentioned in my previous email, box A and C have
2 interfaces. 
Issue here is that any packet coming in on Eth2/Eth3 for 192.168.0.x needs to be routed to
Eth2/Eth3 only, not to Eth1 (which is local interface). For example, if Box C pings Box A on
192.168.0.1, Box B intercepts that becuase it has 192.168.0.1 as its local interface and starts to
respond back to Box C.

Thanks

Dave



--- Derick Anderson <danderson at vikus.com> wrote:

> If the drawing is messed up I apologize - Outlook doesn't seem to like
> plain-text stuff.
> 
> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org
> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Derick
> Anderson
> Sent: Thursday, August 04, 2005 1:01 PM
> To: netfilter at lists.netfilter.org
> Subject: RE: Help needed for a box with 4 Ethernet Interfaces
> 
> Wow. First, let's give some names to each box so we both know which one
> I'm referring to. The box (box "B" in your diagram) with 4 interfaces is
> your router. Boxes A, C, and D will be called as "internal boxes" as a
> group.
> 
> You must realize that you can't set up interfaces on your router with
> the same IP address. If you want Box A to connect to Box B, /through/
> the router (rather than say, through a hub), then you must either
> separate the subnets or bridge the two interfaces.
> 
> Secondly, each of your internal boxes must use the same subnet as the
> interface they connect to. For example, according to your diagram, Box C
> has an address of 192.168.0.2, and is attempting to connect to
> 21.21.21.9. Unless your netmask (usually 255.255.255.0) is 0.0.0.0, Box
> C will not be connecting to your router by design.
> 
> Third, a loopback interface is not a physical interface, it is a virtual
> one and is set to 127.0.0.1 (as I recall the entire 127.0.0.0/8 network
> is reserved for it). Your box cannot function as a "loopback interface."
> 
> Now as to your goals - can I ask what exactly you are trying to do? In
> order to separate each of these boxes, I'll redo your diagram for you:
> 
>  
> ------------
>  
> -----------------------------|  Box D   |
>                               172.16.6.10   |      192.168.0.1/24
> |          |
>          Mgmt Port<---------------------|   |
> ------------
>                                         |   | 192.168.0.1
> 192.168.0.2
>                                    Eth0 |   | Eth1 (for internal
> network)
>  ------------                        ------------
> ------------
>  |  Box A   |________________________|  Box B
> |________________________|  Box C   |
>  |          |                    Eth2|          | Eth3
> |          |
>  ------------     10.1.1.0/24        ------------       21.21.21.0/24
> ------------             
>   10.1.1.1                       10.1.1.1     21.21.21.1
> 21.21.21.2
> 
> This will allow your boxes (given the correct routing tables on your
> router) to actually communicate with the router. You can then use
> iptables to decide which packets can go where. For (a partial) example:
> 
> $IPT -P FORWARD DROP
> $IPT -A FORWARD -i eth2 -o eth3 -j ACCEPT $IPT -A FORWARD -i eth3 -o
> eth2 -j ACCEPT $IPT -A FORWARD -i eth0 -j ACCEPT $IPT -A FORWARD -o eth0
> -j ACCEPT
> 
> So what you are doing here is accepting packets that are coming [i]nto
> eth2 and going [o]ut eth3, into eth3 and out eth2, and anything destined
> to go in or out eth0 (determined by your routing tables) will be
> allowed. 
> 
> You could (and should) use iptables to ensure that the appropriate IPs
> are going out the appropriate interfaces, in addition to the proper
> ports, but there's a bunch of neat guides on www.netfilter.org you
> should look at before doing too much on your own. You should also
> consider learning a lot more about networking.
> 
> Hope that helps, and if I missed anything here someone will point it out
> (that's my money-back guarantee).
> 
> Derick Anderson
> 
> 
> -----Original Message-----
> From: netfilter-bounces at lists.netfilter.org
> [mailto:netfilter-bounces at lists.netfilter.org] On Behalf Of Dave Johnson
> Sent: Thursday, August 04, 2005 12:12 PM
> To: netfilter at lists.netfilter.org
> Subject: Help needed for a box with 4 Ethernet Interfaces
> 
> Hi All:
> I need help to setup my box with some complicated configuration.
> 
> I have a box with 4 Ethernet Interfaces:
> 
> Eth0: 172.16.6.10
> Eth1: 192.168.0.1/24
> Eth2: 10.1.1.0/24      ------> Connected to a box A with an IP address
> of 192.168.0.2
> Eth2: 21.21.21.9/24    ------> Connected to a box C with an IP address
> of 192.168.0.1 (which is
> same as IP address of Eth1)
> 
> Loopback Interface: 192.168.0.3
>  
> ------------
>  
> -----------------------------|  Box D   |
>                               172.16.6.10   |
> |          |
>          Mgmt Port<---------------------|   |
> ------------
>                                         |   | 192.168.0.1
> 192.168.0.2
>                                    Eth0 |   | Eth1 (for internal
> network)
>  ------------                        ------------
> ------------
>  |  Box A   |________________________|  Box B
> |________________________|  Box C   |
>  |          |                    Eth2|          | Eth3
> |          |
>  ------------     10.1.1.0/24        ------------       21.21.21.9/24
> ------------             
>   192.168.0.1                         192.168.0.3
> 192.168.0.2
> 
> Here is what I want to do:
> Packets from Eth2 should only go to Eth3 except the ones detined to
> Eth0's IP.
> Packets from Eth3 should only go to Eth2 except the ones detined to
> Eth0's IP.
> Local packets destined for Eth1's ip and its subnet should be forwarded
> via Eth1 only.
> Packets from Eth1 can only be directed to Eth0. 
> 
> This will allow me to ping Box A (192.168.0.1) from Box C (192.168.0.2)
> without getting a response from Box B who has local interface with
> address 192.168.0.1.
> 
> Basically I want to isolate interfaces in 2 groups:
> One with Eth0, Eth2 and Eth3
> Second with Eth0 and Eth1.
> 
> I tried IPtables and multiple routing tables but it did not work. I
> think I need some directions as to how would this even be possible.
> 
> Thanks
> 
> Dave.
> 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com 
> 
> 
> 
> 



		
____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 
 



More information about the netfilter mailing list