[olug] iptables behind router

Daniel Linder dan at linder.org
Tue Sep 14 16:43:01 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


<quote who="William E. Kempf">
> On Tue, September 14, 2004 10:36 am, John Dickson said:
>> Hey, I have an idea. Multihome the single nic on COMP A with more than
>> one
>> network/subnet. One IP from your Wireless router network and another IP
>> from a different network common to the other boxes. And so on.....
>
> I'm not familiar with "multihome"ing, and Google Searching isn't being
> overly helpful at the moment.  Several hits, but to nothing that's helping
> me relate this concept to the problem at hand.

"Multi-homing" is the act of connecting a single computer into two or more
different networks.  You can do this with multiple NICs, or you can assign
multiple IP addresses to the same NIC.  Linux lets you put multiple IP
addresses on the same NIC so you can do things like routing with only a
single card.

In this case, you could setup your Linux box with two IP addresses on the
same card but in different subnets.  For example, if your Linksys/DLink
router has an internal address of 192.168.0.1 with a /24 (255.255.255.0)
netmask, then you could configure your Linux box as such:

ifconfig eth0   192.168.0.2 netmask 255.255.255.0
ifconfig eth0:0 192.168.1.1 netmask 255.255.255.0
ip route add default via 192.168.0.1

You will then have to setup your test workstations with a 192.168.1.X
network address and set their default gateway as 192.168.1.1.

This way you can have machines that are logically behind the Linux box,
but are still plugged into the same physical hub as everything else (save
the cost of a hub/switch).

If the Linux box breakes, just have the clients use DHCP and get an
address from your router and they should start working again. :)

>> All of your port forwarding and DMZing is limited in the wireless
>> device.
>> Not so in your Linux box. Let it flow (confined to only the services you
>> expect to traffic) to the tux box and control services direction from
>> there.......
>
> That's precisely what I'm trying to do (though I set the Tux box as a DMZ,
> so as not to have to deal with forwarding specific ports... why have to
> configure things in two places?).  What I don't understand is how
> "multihome"ing will help me here.

I think the problem started when you said the "router" was limited to only
having a single DMZ IP address and only a limited number of ports to
forward -- mine has that same problem (limited to five pre-defined ports
such as http, https, smtp, and telnet !!!).

What needs to be done in your case is to actually swap the Linux box and
the router so that Linux can do the bulk of the work, and let the router
just handle the wireless stuff.  Since you are new to TCP/IP networking,
the most stable solution for you while in the learning phase is to leave
the router alone and just setup a multi-homed Linux box and logically move
your test workstation(s) to that second network.  [Note: If you're like
me, your wifes' computer will just use the DHCP from the router and go
straight out there bypassing the Linux system -- just in case it goes down
during testing!  This way you always have a system that can get back out
to the Internet to search for solutions or ask the OLUG for more input. :)
]

If it helps to understand the routing a bit more, you might want to
purchase an inexpensive 4-port switch/hub and a second NIC for the Linux
box.  Then you can setup your own network behind the Linux box and don't
have to worry about the router or getting over the logical/physical
disconnect.

Is this any clearer now or did I just muddy the waters?

Dan

- - - - -
"I do not fear computer,
I fear the lack of them."
 -- Isaac Asimov

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBRx+VNiBNyqUzGb8RAqvEAJ9E6Bx+ToKSatk+MRW4pfGYO2VwVwCePNYz
KiJsgAcRrHwCNgQPXhgGbpo=
=NqL5
-----END PGP SIGNATURE-----

More information about the OLUG mailing list