> "Christian" == Christian Stüllenberg <[EMAIL PROTECTED]> writes:
> "Julian" == Julian Anastasov <[EMAIL PROTECTED]> writes:
Hello,
Christian> I've got a problem to set up a configuration that shoud
Christian> allow to route packets that come in over a certain
Christian> interface(s) IF1 that then should go out to another
Christian> interface IF2 but are addressed to the local address of
Christian> interface IF3. So only if packets for the address of
Christian> interface IF3 come in over interface IF3 they should be
Christian> locally accepted.
Julian> Yes, you have a big problem. Starting from kernels 2.4
Julian> and above the routing requires valid source IPs for output
Julian> routes. Even if you deliver locally the incoming traffic
Julian> your servers can not generate reply if the src IP is not
Julian> local IP. What I do not understand from your posts is
Julian> what is the main goal? Also, what means "..."? Please,
Julian> draw picture with all wires and all kinds of hardware
Julian> involved: hubs, routers, subnets.
Ok, let me give you some more details. It's even more complicated as
my original picture.
So the layout looks like:
I
N
T +---+
ISPB-ptp--CISCOa.b.c.1/30--a.b.c.2/30+...+a.b.c.62/28---GOOD
E | . |
| HOST +a.b.c.14/29---DMZ
R | |
| |
N ISPA-ptp--PPPOE--dynIP/32+.masq..+192.168.0.1/24---MASQ
+---+
E
T
No more hubs or switches envolved in the routing. All zones can only
"talk" to each other over HOST.
HOST has got several hardware interfaces. One to a zone called DMZ on
networkinterface IF0 with IP0 and Submask NM0. Another to a zone
called GOOD on IF1 with IP1/NM1. Then a zone called BAD on IF2 with
IP2/NM2. Additionally a zone MASQ on IF3 with IP3/NM3 and another
interface IF4. That's the hardware layout.
Zone GOOD, DMZ and BAD all have extern routeable IP-addresses. The
zone BAD is quite small and in it is also a CISCO with a ptp
connection to the ISP A. Zone MASQ is something of the form
192.168.0.0/24. At IF4 a pppoe-modem is attached so that over this
pppoe line a dynamic (extern routable) IP address IP4 is attached over
a ptp connection to the ISP B.
So, for the zones GOOD and DMZ the default gateway is a.b.c.1 and for
the zone MASQ the default gateway is the ptp-peer of the PPPOE
connection. Everything that goes out over the PPPOE connection gets
masqueraded.
So far so good.
If traffic from zone MASQ is addressed to one of the external internet
addresses of one of the zone GOOD or DMZ, then it will currently get
routed directly at HOST. It is intended, that this direct routing is
not done, but instead ALL traffic from zone MASQ becomes masqueraded
out over the dynamic PPP connection to the internet, comes back over
the CISCO line to HOST, then gets routed to the extern destination IP
(in zone GOOD or DMZ) and when the reply from there comes back again
to HOST, it should get routed over the CISCO internet connection and
then back over the dynamic PPP connection, demasqueraded, and at last
delivered to the original source in zone MASQ.
This works up to the point, where the reply comes back to HOST. Now
I'm not able to tell HOST, that this reply should again routed out
to the internet over the CISCO line and only demasqueraded if it comes
in over the PPP connection (btw. the demasquerading does also not
occur if the reply gets not routed; I assume, this is because the
masquerding tables are waiting for a packet that comes in over the PPP
connection and not on IF0 or IF1).
Regards,
Christian
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
