Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a Debian box I want to turn into a gateway for my office network with NICs being eth0 (Internet, 68.37.2.55, subnet 255.255.255.224) eth1 (office, 192.168.0.1/16) and eth2 (wifi, 192.168.1.1/16). I've been doing a lot of research recently to learn everything necessary to get this setup working, but there is one thing that still has me a bit confused. I want to set a static routing table that will allow outbound traffic from eth1 and eth2 to reach the web, but I don't want traffic to be able to travel from eth2 to eth1 or vise-versa (in other words, I want them to be completely separate networks). I already know what iptables rules I plan on using, I'm just not sure how to set up the routing table. If anyone could give me some advice, that would be great.
Routing table can't help you, becouse routing doesn't deal with source address and source interface. Only iptables do this job.
Then your ethernet and wi-fi should have a /24 masks, becouse /16 mask describes subnet with two floating bytes (192.168. ). 192.168.0.1/16 and 192.168.1.1/16 are the one subnet.
All packets to Internet must be routed with default address setting, becouse they all have different addresses.
Than you need make a routing:
route add 192.168.0.0/24 dev eth1
route add 192.168.1.0/24 dev eth2
route add default dev eth0
And iptables settings:
iptables -A FORWARD -i eth1 -o eth2 -j REJECT
iptables -A FORWARD -i eth2 -o eth1 -j REJECT
Thanks for your help, that clarifies a lot for me. I have a quick question about those two iptables lines. Are they designed to make sure that traffic from wireless can't go into the office, and vise-versa, and if so, would it be better to drop the packets instead of reject?
When you REJECT packet firewall sends an ICMP packet to sender. On outer network this can give a usefull information to a hacker scanning your network, that's why it's not used. But in inner network it will prevent some applications from generating a "junk" traffic.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.