Home Page Home Page
Home | Linux Administration | Corporate Services | Resources | About Us Support Center
Monthly Server Management One-time Server Services Other Services
Network Administration Network Monitoring Network Security High Availability Load Balancing Data Backup and Recovery
Linux HOWTOs Linux Guides Linux Articles New RFCs Vulnerability list Linux Journal
Testimonials Partners Careers Contact Us Site Map
The Answer Gang 62: IP Forwarding

(?) The Answer Gang (!)


By Jim Dennis, Ben Okopnik, Dan Wilder, Breen Mullins, Mitchell Bruntel, the Editors of Linux Gazette... and You!
Send questions (or interesting answers) to tag@lists.linuxgazette.net

(?) IP Forwarding

From Cole Ragland

Answered By Mike Orr

(?) I have a Slackware machine acting as a gateway/router between two separate networks e.g. 172.29.17.0 and 10.10.3.0. This machine is mulithomed with eth0=172.29.17.19 and eth1=10.10.3.10. Packets from the 10.10 .3 network cannot get passed eth0. I've enable ip forwarding e.g. "echo 1 ip_forward" but I believe that is only for routing between subnets. How can I route between two separate networks. I'm thinking ip_chains, ipmasq, and routed (which I have to fire up manually -- if I uncomment rc.inet2 lines, machine stalls at boot) but not sure. Thanks for your help.

(!) [Mike] If your internal network had public IPs, you would need only IP forwarding. However, 10.x.x.x IPs are reserved for private networks, and Internet routers automatically reject them. So even if your request does go out, there's no way for replies to get back to you. The trick is to use IP Masquerading.
If you're using kernel 2.2.x, the minimal commands required in your startup scripts are: 
echo "1" > /proc/sys/net/ipv4/ip_forward
# Enable forwarding between eth0 and eth1.
/sbin/ipchains -P forward DENY
# Forbid all other types of forwarding.
/sbin/ipchains -A forward -s 10.0.0.0/8 -j MASQ
# Forward and masquerade requests from 10.x.x.x and handle replies back
This will handle ordinary TCP services. FTP, ping, irc, CuSeeme, Quake also require additional modules in order to be masqueraded.
You can also build a more elaborate ipchains ruleset to customize security.
A similar thread is in last month's The Answer Gang.
http://linuxgazette.net/issue61/lg_answer61.html#tag/5

This page edited and maintained by the Editors of Linux Gazette Copyright © 2001
Published in issue 62 of Linux Gazette February 2001
HTML script maintained by Heather Stern of Starshine Technical Services, http://www.starshine.org/

[ Answer Guy Current Index ] greetings   1   2   3   4   5   6   7 [ Index of Past Answers ]

All logos, trademarks and content in this site are property of their respective owners. All else is © Copyright 2005-2012 n3v.net