Thanks Charles, worked like a charm. However, I don't see *how* it
works. This notation suggest to me that all internal traffic is going
over eth1, but I know it's not because I have them physically separated
on different switches.
INTERN_IF="eth1"
INTERN_NET="192.168.1.0/24 192.168.212.0/24"
INTERN_IP=192.168.1.1
Is it smart enough that the presence of the second network in INTERN_NET
automatically knows that it is assigned to eth2 and to use the address
assigned to that interface as the gateway?
Anyway, I knew in the back of my head I couldn't do it with one routable
IP, but I thought I'd use the 'hit it with a hammer until it works'
approach.
-Scott
Charles Steinkuehler said:
>> I'm doing something a little different this time. I have 1 routable
>> IP
> and
>> 2 private networks which I want to masquerade from behind the
>> firewall,
> but
>> keep separate from each other. The eth1 network works great,
>> masquerades like it's supposed to, NAT's like it's supposed to.
>> However, my eth2 network can't ping past the firewall. I can ping the
>> firewall but no traffic can make it outside. What I want are two
>> masqueraded networks using the same routable IP on eth0, but unable to
>> see each other. My interfaces are:
>>
>> eth0_IPADDR=64.113.44.66
>> eth0_MASKLEN=24
>> eth0_BROADCAST=+
>> eth0_DEFAULT_GW=64.113.44.1
>> eth0_IP_SPOOF=YES
>> eth0_IP_KRNL_LOGMARTIANS=YES
>> eth0_IP_SHARED_MEDIA=NO
>> eth0_BRIDGE=NO
>> eth0_PROXY_ARP=NO
>> eth0_FAIRQ=NO
>>
>> eth1_IPADDR=192.168.1.1
>> eth1_MASKLEN=24
>> eth1_BROADCAST=+
>> eth1_IP_SPOOF=YES
>> eth1_IP_KRNL_LOGMARTIANS=YES
>> eth1_IP_SHARED_MEDIA=NO
>> eth1_BRIDGE=NO
>> eth1_PROXY_ARP=NO
>> eth1_FAIRQ=NO
>>
>> eth2_IPADDR=192.168.212.1
>> eth2_MASKLEN=24
>> eth2_BROADCAST=+
>> eth2_IP_SPOOF=YES
>> eth2_IP_KRNL_LOGMARTIANS=YES
>> eth2_IP_SHARED_MEDIA=NO
>> eth2_BRIDGE=NO
>> eth2_PROXY_ARP=NO
>> eth2_FAIRQ=NO
>
> This all looks OK.
>
>> My pertinent DMZ info is:
>>
>> # Whether you want a DMZ or not (YES, PROXY, NAT, PRIVATE, NO)
>> DMZ_SWITCH=NAT
>> DMZ_IF="eth2"
>> DMZ_NET=192.168.212.0/24
>>
>> DMZ_SRC=64.113.44.66/32
>>
>> DMZ_EXT_ADDRS="$eth0_DEFAULT_GW $EXTERN_IP"
>>
>> DMZ_HIGH_TCP_CONNECT=NO
>>
>> DMZ_CLOSED_DEST="tcp_${DMZ_NET}_6000:6004 tcp_${DMZ_NET}_7100"
>>
>> DMZ_OPEN_DEST=" udp_${DMZ_NET}_domain
>> tcp_${DMZ_NET}_domain
>> icmp_${DMZ_NET}_:"
>
> The DMZ stuff will not work in your configuration. You can't run a NAT
> based DMZ with a single external IP, and it doesn't sound like you
> really want a DMZ anyway. If you really want a DMZ, you'll need to use
> the DMZ=PRIVATE switch, and change the other DMZ switches accordingly.
>
> What I think you want, however, is simply another internal network. You
> should be able to simply set:
>
> INTERN_NET="192.168.1.0/24 192.168.212.0/24"
>
> which should allow both internal networks to see the internet, while
> preventing communications between the two internal nets. If you want
> to allow specific (or all) traffic between the two internal networks,
> you'll have to add appropriate rules to the /etc/ipchains.forward file.
>
> Charles Steinkuehler
> http://lrp.steinkuehler.net
> http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
