Results 1 to 10 of 10

Thread: Semi-Complex routing and Ipchains

  1. #1

    Semi-Complex routing and Ipchains

    UnixA : Multi Homed
    eth0 222.x.x.x
    LinuxA Firewall (ipchains)
    eth0 222.x.x.x
    >>>>>>>>>>>>&g t;>>>>>>>.
    I need to get the traffic on UnixA eth1 to route to
    I added a static route on UnixA:
    route add
    That took ok so the info goes to the firewall.
    No I need to add aroute on the firewall so it is not forwarded out eth0 like all the other 192s but instead is sent to the router.
    Thanx, I know is strage you just have to trust I know what im doing (sometimes)

  2. #2

    Re: Semi-Complex routing and Ipchains

    Your question seems a little foggy, so I'm going to answer it as best as I can (though this may not be the exact answer to the question).

    I need to get the traffic on UnixA eth1 to route to
    Is UnixA also routing traffic between its networks? Is routerA multihomed? Do you want all traffic on the 192.168.100.x subnet to go through RouterA? If so, then make that the default gateway for all those boxes on that subnet.

    Traffic on UnixA--as long as the traffic is local to the 192.168.100.x subnet--should be automatically sent out eth1, directly to its destination. If all your boxes are on the same subnet (,, then your routing tables will not be consulted at all, unless the destination IPs lies outside of that subnet. *

    Subnets *rely on ARP brodcasts for local address location. Only when ARP broadcasts fail to return a MAC address for a given IP will a computer then send packets to its default gateway. If you want packets for destinations other then the 192.168.100.x subnet to go through, then you will need to make that ip UnixA's default gateway.

    No I need to add a route on the firewall so it is not forwarded out eth0 like all the other 192s but instead is sent to the router.
    Disable the external interface (eth0) if possible or disable ip forwarding (if its enabled). Make the firewall's default gateway.

    I hope this helps a little bit. Like I said, it is a strange setup. Perhaps if you told us what you to do in the end we can be of more help.

  3. #3

    Re: Semi-Complex routing and Ipchains

    It is rather complex.
    Here are some more xplainations.
    UnixA is out app server. Its eth0 222 nic servers data out to our remote site all over the US. Its eth1 192 nic serves data to our internal network that is all 192.168.100.x
    LinuxA is our firewall. eth0 222 nic is the interface that eth1 192 forwards everything throught to get out to the real world from inside our internal network.
    RouterA is part of a new VPN switchover we are doing. Out at location X there is another router like RouterA. They both connect to a main VPN server out in the world somewhere on a specific port. This port i forward through LinuxA directly to RouterA. Ok now I have explain it some more. From UnixA I need to ping for instance. in LocationX. RouterA and the counterpart at location X know how to handle this. I need for UnixA to route this request to LinuxA and LinuxA route this request to RouterA sibnce he is the only guy that can get to his counterpart at
    Does that help. I have the request from UnixA going to eth1 on LinuxA Already But I am afraid that LinuxA if masqing it out eth0 as it does with all other request. I need for it to route everythin from to unless it on the LAN in witch case it should bother and routes by default. Wow this get more complicated by the minute.
    TIA Guyz,

  4. #4

    Re: Semi-Complex routing and Ipchains

    Try this on UnixA. Update your local routing table as such:

    route add -net netmask gw metric 1
    This should send anything destined to the remote network to routerA (rather than sending it from UnixA to LinuxA then to routerA). I'm assuming that has a standard netmask. If not just adjust the above code.

    If LinuxA is the default gateway for your entire LAN, and everything destined for LocationX, not just traffic from UnixA, needs to go through your VPN box, then just add that route to LinuxA and set all your LAN box to use LinuxA as their default gateway. However, if you need to maintain static routing tables on a lot of boxes, you should look into setting up something like routed.

  5. #5

    Re: Semi-Complex routing and Ipchains

    This is almost too trick to explain. I am dealing with 3 netowrks . 222.x.x.x., 192.168.100.x, and 192.168.x.x. and some complex VPN ltp2 tunneling. I might have it figured out, if not i will repost here and let you all exercise the routing portion of your brains as mine is toast.


  6. #6

    Re: Semi-Complex routing and Ipchains

    It shouldn't be that tricky if you have all your routing tables updated correctly with directions to each network/subnet. As AFAIK, the entire thing is a routing issue and can be resolved without modifying you ipchains at all. As long as the two VPN boxes know how to route data to each other, the rest shouldn't be that hard to resolve.

    If you haven't already done so, I would draw a map of your network on a peice of paper and write out what entries need to be made in each router or host's routing table. Sit down at each router or host and make sure you can ping all parts of your network or run traceroute.

  7. #7

    Re: Semi-Complex routing and Ipchains

    We had a pretty pi__poor drawing. Redoing that now. Also one that that complicates things a bit is there are going to be more than 100 nodes on the VPN all with different subnets so I want to let the VPN routers do the bulk of the work. I am not doing a good job of explaining this . I can't work on it at the moment becuase now upper management has a bigger problem they want fixed. I need to start a new thread.
    Thanx for the help so far all.

  8. #8

    Re: Semi-Complex routing and Ipchains

    If your routed network is that complex, I would look into setting up something like RIP on all your routers. This way you don't have to maintain static routes across multiple routers for a ton of subnets.

  9. #9

    Re: Semi-Complex routing and Ipchains

    I've been following this thread and have found it to be pretty interesting. I also think that implementing some kind of routing protocol like RIP/RIPv2 might be the answer here simply because, as tolstoy stated, maintaining static routes across multiple routers/subnets can prove to be cumbersome. Using RIP does have some limitations, like slow convergence and a network diameter that's limited to 15 hops but for your particular case these are probably not going to be issues.

  10. #10

    Re: Semi-Complex routing and Ipchains

    Well, I added 192.168 static router to and everything works. I guess it wasnt so complex.
    I just wasnt working before because the provider needed to do somethings with thier access list.
    Thanx for all the help fellas

Similar Threads

  1. Semi- annual DC projects?
    By mcdougrs in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 04-05-2003, 03:44 AM
  2. Semi-disappearing sound - W2K
    By papanohair in forum Windows - General Topics
    Replies: 0
    Last Post: 02-08-2003, 04:04 AM
  3. ipchains script problem
    By gman in forum Security
    Replies: 3
    Last Post: 04-23-2002, 03:18 PM
  4. IPCHAINS ! How to tell it to not log ARPWATCH ??
    By Compunuts in forum Linux - Software, Applications & Programming
    Replies: 0
    Last Post: 12-18-2001, 03:33 PM
  5. IPChains Help
    By nitewaryr in forum Security
    Replies: 1
    Last Post: 09-04-2001, 12:29 AM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts