> I'm doing something a little different this time. I have 1 routable IP
and
> 2 private networks which I want to masquerade from behind the firewall,
but
> keep separate from each other. The eth1 network works great, masquerades
> like it's supposed to, NAT's like it's supposed to. However, my eth2
> network can't ping past the firewall. I can ping the firewall but no
> traffic can make it outside. What I want are two masqueraded networks
> using the same routable IP on eth0, but unable to see each other. My
> interfaces are:
>
> eth0_IPADDR=64.113.44.66
> eth0_MASKLEN=24
> eth0_BROADCAST=+
> eth0_DEFAULT_GW=64.113.44.1
> eth0_IP_SPOOF=YES
> eth0_IP_KRNL_LOGMARTIANS=YES
> eth0_IP_SHARED_MEDIA=NO
> eth0_BRIDGE=NO
> eth0_PROXY_ARP=NO
> eth0_FAIRQ=NO
>
> eth1_IPADDR=192.168.1.1
> eth1_MASKLEN=24
> eth1_BROADCAST=+
> eth1_IP_SPOOF=YES
> eth1_IP_KRNL_LOGMARTIANS=YES
> eth1_IP_SHARED_MEDIA=NO
> eth1_BRIDGE=NO
> eth1_PROXY_ARP=NO
> eth1_FAIRQ=NO
>
> eth2_IPADDR=192.168.212.1
> eth2_MASKLEN=24
> eth2_BROADCAST=+
> eth2_IP_SPOOF=YES
> eth2_IP_KRNL_LOGMARTIANS=YES
> eth2_IP_SHARED_MEDIA=NO
> eth2_BRIDGE=NO
> eth2_PROXY_ARP=NO
> eth2_FAIRQ=NO
This all looks OK.
> My pertinent DMZ info is:
>
> # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
> DMZ_SWITCH=NAT
> DMZ_IF="eth2"
> DMZ_NET=192.168.212.0/24
>
> DMZ_SRC=64.113.44.66/32
>
> DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
>
> DMZ_HIGH_TCP_CONNECT=NO
>
> DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
>
> DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
> tcp_${DMZ_NET}_domain
> icmp_${DMZ_NET}_:"
The DMZ stuff will not work in your configuration. You can't run a NAT
based DMZ with a single external IP, and it doesn't sound like you really
want a DMZ anyway. If you really want a DMZ, you'll need to use the
DMZ=PRIVATE switch, and change the other DMZ switches accordingly.
What I think you want, however, is simply another internal network. You
should be able to simply set:
INTERN_NET="192.168.1.0/24 192.168.212.0/24"
which should allow both internal networks to see the internet, while
preventing communications between the two internal nets. If you want to
allow specific (or all) traffic between the two internal networks, you'll
have to add appropriate rules to the /etc/ipchains.forward file.
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
