[NTLUG:Discuss] Dual NIC Firewall - Problems with the external NIC
Chris J Albertson
alb at chrisalbertson.com
Tue Mar 25 09:36:05 CST 2003
Thanks for the help all. I'm set now.
*blush*
What I didn't know was that the route command by itself does a reverse lookup on
the IP address of the default gw. Since I set up the firewall without the
network connected to the external NIC, it couldn't do the reverse and just hung
for a while. Once I connected the external NIC, route returns information quick.
I just assumed that things goes screwed up if route didn't return info fairly quick.
Thanks again for the help.
--
Chris Albertson
Owner - ChrisAlbertson.com (Actually, I rent, with an option to buy)
4783147098
Quoting Chris Cox <cjcox at acm.org>:
Chris J Albertson wrote:
...
>
> So here is the ultimate question. Can I even have a default gw when I have
two
> NICs? Is that causing too much confusion? I'm adding the default route like
> this: (Forget about the IP address not being legal for now....)
> route add default gw 10.10.0.1
> I would think that if I add the default gw with that IP address, it would
> realize that it needs to go thru the external nic (eth1) to reach it and
all
> will be fine.
>
> Any help you guys can provide would be most excellent!
> Thanks!
Just to make things clear, you should specify the device when doing your
routes (so things don't default to the wrong NIC).
There is nothing wrong with one or both interfaces having a default
gateway. In order to forward across the interfaces you'll want to make
sure you have ip_forwarding enabled.
sysctl -w net.ipv4.ip_forward=1
or
echo "1" >/proc/sys/net/ipv4/ip_forward
Since it is likely you are going to some sort of NAT... you'll
need a nat/masquerading rule setup.
# route add default gw 10.10.0.1 dev eth0
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
(assumes that eth1 (10.10.0.1) is the way out to the internet
and that eth0 is the interior gateway)
This is overly generous since it allows everything, but a starting
point nonetheless.
This off the top of my head... I'm sure someone will correct
my mistakes if there are any.
If you want more help, you need to describe your desired network
in much greater detail (include addresses, masks, etc.).
_______________________________________________
https://ntlug.org/mailman/listinfo/discuss
-------------------------------------------------
This email was sent from www.chrisalbertson.com
using the IMP mailing program, part of the Horde suite
of information management tools.
http://horde.org/
More information about the Discuss
mailing list