I have a Debian box I want to turn into a gateway for my office network with NICs being eth0 (Internet, 68.37.2.55, subnet 255.255.255.224) eth1 (office, 192.168.0.1/16) and eth2 (wifi, 192.168.1.1/16). I've been doing a lot of research recently to learn everything necessary to get this setup working, but there is one thing that still has me a bit confused. I want to set a static routing table that will allow outbound traffic from eth1 and eth2 to reach the web, but I don't want traffic to be able to travel from eth2 to eth1 or vise-versa (in other words, I want them to be completely separate networks). I already know what iptables rules I plan on using, I'm just not sure how to set up the routing table. If anyone could give me some advice, that would be great.


crashsystems

Routing table can't help you, becouse routing doesn't deal with source address and source interface. Only iptables do this job.
Then your ethernet and wi-fi should have a /24 masks, becouse /16 mask describes subnet with two floating bytes (192.168. ). 192.168.0.1/16 and 192.168.1.1/16 are the one subnet.
All packets to Internet must be routed with default address setting, becouse they all have different addresses.

Than you need make a routing:
route add 192.168.0.0/24 dev eth1
route add 192.168.1.0/24 dev eth2
route add default dev eth0

And iptables settings:
iptables -A FORWARD -i eth1 -o eth2 -j REJECT
iptables -A FORWARD -i eth2 -o eth1 -j REJECT

Thanks for your help, that clarifies a lot for me. I have a quick question about those two iptables lines. Are they designed to make sure that traffic from wireless can't go into the office, and vise-versa, and if so, would it be better to drop the packets instead of reject?

crashsystems

When you REJECT packet firewall sends an ICMP packet to sender. On outer network this can give a usefull information to a hacker scanning your network, that's why it's not used. But in inner network it will prevent some applications from generating a "junk" traffic.