LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-26-2009, 09:33 AM   #1
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Rep: Reputation: 15
iptables cross network


Hi!

I have a Linux machine as router with eth0 (net), eth1 (lan_1: 192.168.2.0/24), eth2 (lan_2:192.168.3.0/24). I have built iptables rules to allow access to internet for local networks (eth1, eth2). All hosts are filtered in iptables by mac addresses. I have an issue on allowing a host in eth2 network to access a file server on eth1. What can I do? I tried to use forward but I haven't succed so it doesn't work. It's posible to access one network from another. I intend to use file sharing.

PLease give me some sugestions.

Thanks a lot!
 
Old 10-26-2009, 10:04 AM   #2
DrLove73
Senior Member
 
Registered: Sep 2009
Location: Srbobran, Serbia
Distribution: CentOS 5.5 i386 & x86_64
Posts: 1,118
Blog Entries: 1

Rep: Reputation: 129Reputation: 129
I think you just need ALLOW rules in both directions.

1. create a rule for ALLOW where -i is eth1 and -o is eth2, and next rule for other way around.
 
Old 10-26-2009, 12:07 PM   #3
mad_penguin
Member
 
Registered: Mar 2008
Posts: 69

Original Poster
Rep: Reputation: 15
allow not allowed

hi,

Might be a problem. I only wish to allow one network to "see" other one (eth2 -> eth1, not reverse ). Is this posible?
 
Old 10-26-2009, 01:03 PM   #4
Erik_FL
Member
 
Registered: Sep 2005
Location: Boynton Beach, FL
Distribution: Slackware
Posts: 797

Rep: Reputation: 247Reputation: 247Reputation: 247
Quote:
Originally Posted by mad_penguin View Post
hi,

Might be a problem. I only wish to allow one network to "see" other one (eth2 -> eth1, not reverse ). Is this posible?
That depends on what you mean by "see". The simple answer is no. TCP and most applications that use UDP require communication in both directions to work. Blocking communication in one direction will usually prevent applications from communicating.

One thing that's easy to overlook when using a gateway is that you have to configure more than just the gateway. Suppose I have two computers, A and B on different networks with a gateway G connecting the networks.

In order for A to reach the network for B, I have to tell A that it should use gateway G. I have to add a route on the A computer for the network containing B. The same is true in the opposite direction. I have to tell B that there is a route to the network containing A.

If G happens to already be the default gateway for A and B then there's no problem. If G is not the default gateway then I have to add the routes on computers A and B and tell them to use gateway G to reach the other network.

Here is an example.

SWITCH-X<===>INTERNET-ROUTER-X
SWITCH-X<===>A
SWITCH-X<===>G

SWITCH-Y<===>INTERNET-ROUTER-Y
SWITCH-Y<===>B
SWITCH-Y<===>G

A Computer IP address 192.168.2.4 mask 255.255.255.0
Default gateway: 192.168.2.1

B Computer IP address 192.168.3.7 mask 255.255.255.0
Default gateway: 192.168.3.1

Gateway G IP address 192.168.2.5 and 192.168.3.3 mask 255.255.255.0

INTERNET-ROUTER-X IP address 192.168.2.1 mask 255.255.255.0

INTERNET-ROUTER-Y IP address 192.168.3.1 mask 255.255.255.0

To allow A and B to communicate I have to allow gateway G to forward IP datagrams between 192.168.2.xxx and 192.168.3.xxx.

I have to add a route on computer A like this.
Destination: 192.168.3.0
Mask: 255.255.255.0
Gateway: 192.168.2.5
Interface: 192.168.2.4

I have to add a route on computer B like this.
Destination: 192.168.2.0
Mask: 255.255.255.0
Gateway: 192.168.3.3
Interface: 192.168.3.7

Notice that a gateway must always be on the same IP network as the computers that use it. I can't tell computer A to use gateway address 192.168.3.3 but I can and should tell computer A to use gateway address 192.168.2.5.

Since most people have access the the Internet, the default gateway is usually for routes to the Internet. It's difficult to add and maintain routing table entries for the networks on the Internet, so anything without any other specific routes usually goes to the Internet.

In my example, I assumed that A and B were using a default gateway that is not the same as the route to the other LAN. It's more likely that one of the routes is a default route.

SWITCH-X<===>INTERNET-ROUTER-X
SWITCH-X<===>A
SWITCH-X<===>G

SWITCH-Y<===>B
SWITCH-Y<===>G


In this example, B's default gateway would be G (192.168.3.3) and it would not be necessary to add a route on computer B. The default route would work to reach computer A. I'm assuming that A and G are on the same LAN and that the "INTERNET-ROUTER-X" (192.168.2.1) is used to reach the Internet. I would still have to add a route on computer A, since its default route will not reach computer B's network.

If the INTERNET-ROUTER-X allowed me to add routes, I could add a route on the INTERNET-ROUTER-X instead of on computer A. That would result in one extra hop, since all of A's communication to B would go through the INTERNET-ROUTER-X in addition to gateway G.

INTERNET-ROUTER-X route to network containing B
Destination: 192.168.3.0
Mask: 255.255.255.0
Gateway: 192.168.2.5
Interface: 192.168.2.1

In fact I would have to add the above route anyway, in order for B to receive datagrams from the Internet.

It is better to add the most direct route on computer A and avoid the extra hop. Among other things, it allows A and B to communicate even when INTERNET-ROUTER-X isn't working.

No matter which way you look at it you have to add at least one route on something besides gateway G for A and B to communicate.

Last edited by Erik_FL; 10-26-2009 at 01:05 PM.
 
Old 10-26-2009, 01:15 PM   #5
Erik_FL
Member
 
Registered: Sep 2005
Location: Boynton Beach, FL
Distribution: Slackware
Posts: 797

Rep: Reputation: 247Reputation: 247Reputation: 247
Windows file sharing and SAMBA are a different subject so keep in mind that you must do other things for SAMBA or Windows file sharing to work across sub-networks. In particular the network browser will not "see" computers on other sub-networks and the name service will not be able to recognize names for computers on other networks. There are different ways to solve both of those problems. One can also type in the IP address of a computer on another sub-network in order to access it without using the network browser or computer name.

Only server computers (that share folders or printers) are ever "seen" in the computer browser. Computers that are merely clients are not seen. That's true even when all the computers are on the same sub-network.

The simplest way to use SAMBA across networks is to add the computer names to the "hosts" file, and then use shortcuts or type in the names of other computers instead of clicking on something in the network browser. I've never tried it, but in theory one should be able to configure SAMBA to allow "seeing" computers on other sub-networks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cross-Platform Network-Oriented Photo Organizer? Matir Linux - Software 4 09-11-2008 04:34 PM
rc.firewall vs iptables (Cross-posted) joegumbo Slackware 9 08-19-2008 02:43 PM
What file format to use for cross-platform network? postitnote100 Linux - Networking 1 06-23-2006 11:24 PM
Home Network Problem - Cross Platform Texas Linux - Networking 1 08-20-2003 12:27 AM
cross network backup account needed alfy Linux - Security 1 06-01-2003 10:34 AM


All times are GMT -5. The time now is 07:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration