Hello,

I have:

- One server on Debian sarge:

• eth0 (inet adr:193.xx.yy.160 Bcast:193.xx.yy.255 Masque:255.255.255.0) link to internet.
• eth1 (inet adr:193.xx.yy.161 Bcast:193.xx.yy.255 Masque:255.255.255.0) link to local

- Client #1 (Debian sarge):

• eth0 (inet adr:193.xx.yy.10 Bcast:193.xx.yy.255 Masque:255.255.255.0) link to local with gateway: 193.xx.yy.161

- Client #2 (Debian sarge):

• eth0 (inet adr:193.xx.yy.11 Bcast:193.xx.yy.255 Masque:255.255.255.0) link to local with gateway: 193.xx.yy.161

I want to internet ping be possible on 193.xx.yy.10 or 193.xx.yy.11.
packet way:
Internet > server(eth0) > server(eth1) > client#1(eth0)
client#1(eth0) > server(eth1) > server(eth0) > Internet
and
Internet > server(eth0) > server(eth1) > client#1(eth0)
client#1(eth0) > server(eth1) > server(eth0) > Internet

I test to put an IP aliasing on the server (ifconfig eth0:0 193.xx.yy.10 and ifconfig eth0:1 193.xx.yy.11)
After I launch iptable with:
But, nothing work. Someone have an idea ?

Hello

First, I'd like to mention the fact that all your machines are one the same network. Maybe it would be better if you changed your setup to something like this:

Server:
eth0 193.xx.yy.160
eth1 192.168.0.10

Client #1:
eth0 192.168.0.101

Client #2:
eth0 192.168.0.102

This setup would better seperate the LAN (192.168.0.xxx) from the external network (193.xx.yy.zzz).

After that (or if you decide to keep the current setup) you'll need to modify the server's routing table so it knows where to forward requests that are going to the internet:
And finally make sure IP Forwarding is enabled to allow the server to pass packets between the two different networks:
This should get things going

I would STRONGLY recommend reading some HOW-TO on setting up a router/firewall machine.
Check here: http://www.linuxquestions.org/linux/...g/Linux_Router
and google around... happy hunting

I don't want to have private adress like 192.168.*
Because its work perfectly with private adress, but I want to use public adress.
And its here the problem

To route between these then you need to put them onto two networks. This can be achieved using private addressing as Notwerk suggested, or by subnetting the network range.

Do you really have an entire class C (/24) network allocated to you, as you subnet mask suggests? All 254 host addresses available? It sounds a bit wasteful, it would be hard to get a full class C if you are only using a handful of machines, unless there is a good justification of future growth.

If you do have the full class C network then you could split this into 2 subnets using /25 addresssing (or smaller if you want to add additional networks in future).

You would change the subnet masks to 255.255.255.128, and then the eth1 address of the server would need to be changed to be lower than 127, to be in the same subnet as the two clients.

and if you want to keep these public adress in your lan, you need to configure a dns as well in your lan. cuz otherwise, you wont ever find your machine's IP.
most likely you are using ur ISP's DNS servers and he points to ppl who registered those IPs.
newayz, makes no sense to use public IPs in a private LAN...

and by configuring internally a dns server to point to your own 193.x.y.z whatever machines, you wont ever be able to go to those sites on the internet. simple logic

I have the entire class (254 hosts adresse), and I don't have only 2 clients, but a lot (~180).
The problem is the routing trough the server.

Could you bridge the two networks?

Thanks, I will test tomorow

I have test a bridge:

On the server (bridge):

On a client:
inet adr:193.xx.yy.107 Bcast:193.xx.yy.255 Masque:255.255.255.0

193.xx.yy.161 reply on internet
But when I'm on internet, I can't ping 193.xx.yy.107 I will make a route table ? or other idea ?

Work well now !

Thanks for your help all

Hello,

Bridge is up, and work well !
you can see the infos here:

br0 Lien encap:Ethernet HWaddr 00:01:03:12: D1:EA
inet adr:193.xx.yy.161 Bcast:193.xx.yy.255 Masque:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0 Lien encap:Ethernet HWaddr 00:E0:29:37:25:46
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

eth1 Lien encap:Ethernet HWaddr 00:01:03:12: D1:EA
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1

Now I want to block internet ping on a local computer.
I have test with:
iptables -A FORWARD -p icmp -d 193.xx.yy.107 -j DROP

But ping are always possible on 193.xx.yy.107

Idea ?

The "bridged" packets don't pass through the FORWARD chain.

They are forwarded on the "ethernet" layer, not on the IP layer, so you cannot control them by iptables. You need one more "bridge tool" - ebtables

R.