Gateway problems

Cambrant · 11-04-2005, 09:27 PM

Hi, I've been trying to configure a computer as a gateway for my home network for a few days now, and I finally got most of it to work, except for one thing.

My setup is like this: The gateway box that I'm currently configuring is connected to my DSL modem with eth0 and its two other NICs (eth1 & eth2) are connected to two workstations which have both been configured to use my gateway for their internet access.

It all works great when any one of the workstations are connected to eth1. The gateway can reach the workstation and vice versa, and the workstations can reach the internet. However, All About ADHD as soon as I try to connect a workstation to eth2 I get "Destination Host Unreachable" when trying to ping the workstation from the gateway box.

From the messages I'm getting, it seems that the gateway box tries to reach both workstations (192.168.0.5 and 192.168.0.10) from eth1 which is set to IP 192.168.0.1. What I want to do is that when any contact to 192.168.0.5 is being made, the gateway should use eth1, and eth2 for 192.168.0.10. I hope this isn't confusing anyone.

Could this problem be solved by adding a few iptables rules? I'm not sure how to tell the computer to connect through both NICs when trying to connect to a workstation in my local network.

Any help would be really appreciated. I'm pulling my hair here.

debianmike · 11-04-2005, 11:00 PM

i suggest you set eth1 subnet to 192.168.0.x and eth2 to 192.168.1.x

if you have 2 nics on the same subnet, i don't know how it would route traffic back to the client machine having 2 paths to go down.

davonz · 11-04-2005, 11:38 PM

Hi,

I have never done it the way you are, and would do as mike suggests, having eth1 set to 192.168.1.1 and eth2 to 192.168.2.1 or similar.

But i think it might be possible to set up a route on the gateway machine, something like:

route add -net 192.168.1.1 netmask 255.255.255.0 dev eth1

route add -net 192.168.1.2 netmask 255.255.255.0 dev eth2

You shouldnt have to do to much in iptables, just have the NAT masquerading on eth0 as iptables should know what ethernet card the requests come from, and let both eth1 and eth2 make requests.

I would do my iptables something like below, just a basic setup:

#Remove all default rules
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain

#Set default as DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Forward everything from inside to outside
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -j ACCEPT

#let smtp and pop through from outside
iptables -A FORWARD -i eth0 -p tcp --sport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --sport 110 -j ACCEPT

#HTTP
iptables -A FORWARD -i eth0 -p tcp --sport 80 -j ACCEPT

#Secure connect pages - https:
iptables -A FORWARD -i eth0 -p tcp --sport 443 -j ACCEPT

#DNS
iptables -A FORWARD -i eth0 -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --sport 53 -j ACCEPT

#FTP
iptables -A FORWARD -i eth0 -p tcp --sport 20 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp --sport 21 -j ACCEPT

#Masquerade inside requests
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Anyways give that a go and let me know what happens.