Originally Posted by mad_penguin
Might be a problem. I only wish to allow one network to "see" other one (eth2 -> eth1, not reverse ). Is this posible?
That depends on what you mean by "see". The simple answer is no. TCP and most applications that use UDP require communication in both directions to work. Blocking communication in one direction will usually prevent applications from communicating.
One thing that's easy to overlook when using a gateway is that you have to configure more than just the gateway. Suppose I have two computers, A and B on different networks with a gateway G connecting the networks.
In order for A to reach the network for B, I have to tell A that it should use gateway G. I have to add a route on the A computer for the network containing B. The same is true in the opposite direction. I have to tell B that there is a route to the network containing A.
If G happens to already be the default gateway for A and B then there's no problem. If G is not the default gateway then I have to add the routes on computers A and B and tell them to use gateway G to reach the other network.
Here is an example.
A Computer IP address 192.168.2.4 mask 255.255.255.0
Default gateway: 192.168.2.1
B Computer IP address 192.168.3.7 mask 255.255.255.0
Default gateway: 192.168.3.1
Gateway G IP address 192.168.2.5 and 192.168.3.3 mask 255.255.255.0
INTERNET-ROUTER-X IP address 192.168.2.1 mask 255.255.255.0
INTERNET-ROUTER-Y IP address 192.168.3.1 mask 255.255.255.0
To allow A and B to communicate I have to allow gateway G to forward IP datagrams between 192.168.2.xxx and 192.168.3.xxx.
I have to add a route on computer A like this.
I have to add a route on computer B like this.
Notice that a gateway must always be on the same IP network as the computers that use it. I can't tell computer A to use gateway address 192.168.3.3 but I can and should tell computer A to use gateway address 192.168.2.5.
Since most people have access the the Internet, the default gateway is usually for routes to the Internet. It's difficult to add and maintain routing table entries for the networks on the Internet, so anything without any other specific routes usually goes to the Internet.
In my example, I assumed that A and B were using a default gateway that is not the same as the route to the other LAN. It's more likely that one of the routes is a default route.
In this example, B's default gateway would be G (192.168.3.3) and it would not be necessary to add a route on computer B. The default route would work to reach computer A. I'm assuming that A and G are on the same LAN and that the "INTERNET-ROUTER-X" (192.168.2.1) is used to reach the Internet. I would still have to add a route on computer A, since its default route will not reach computer B's network.
If the INTERNET-ROUTER-X allowed me to add routes, I could add a route on the INTERNET-ROUTER-X instead of on computer A. That would result in one extra hop, since all of A's communication to B would go through the INTERNET-ROUTER-X in addition to gateway G.
INTERNET-ROUTER-X route to network containing B
In fact I would have to add the above route anyway, in order for B to receive datagrams from the Internet.
It is better to add the most direct route on computer A and avoid the extra hop. Among other things, it allows A and B to communicate even when INTERNET-ROUTER-X isn't working.
No matter which way you look at it you have to add at least one route on something besides gateway G for A and B to communicate.