Results 1 to 6 of 6

Thread: 4NICs and Iptables

  1. #1

    4NICs and Iptables

    Please bear with me, this might take some explaning.

    At work we have two networks, one I have control over, the other I have little say in, save emergencys.

    Both these netoworks have a common router (which I have no control over) and infrastructure. A trust is being set up between the two domains, and I was amazed to find out that the traffic is being routed via the other side of the country.

    network A -->router --> various hops -->same router -->network B

    Normaly I would have no problem with this, but the link often dies, and if people started to rely on it a hour or two not being able to get to your docs seems a little harsh. Add to this the latancy the we we're getting (and the vastly increased logon times) and it just seems futile.

    The two different subnets have different filtering rules on the router, but I don't know whether they're filtered by interface or subnets (this is where the 4 NICs come in to it, hold on) and can't find out.

    I was thinking about the iptables I have running at home when I had an idea.

    so this is what I propose:
    one box, 4 *NICs (one for internel one for external for each net)
    Iptables rules that will filter off everything for the other net and forward to it (or drop it if it would be droped by the router), letting everything else slip seemlessly by.

    What I want to know:

    Is this feasable?

    How difficult would 4 NICs in on box be to set up?

    If I just let 3 ports through one way and none the other, would the stateful-ness of iptables let the reply connections through or would I have to all sorts of NATing and table rules?

    Is there an easier way of doing it?

    Why do I insist on biting off more than I can chew all the time?

    I hope that all makes sense.

  2. #2

    Re: 4NICs and Iptables

    Why not:

    Net A
    router - internet
    Net B

    3 NICs are sufficient. The setup of n-th NIC is exactly the same as the setup if the first one - no additional difficulties (provided you've got enough slots).
    Assuming that all the servers are on the one side, and all the clients on the second, the statefullness is usually sufficient but there are exceptions (ie. active ftp). Then, you need some kind of "proxy". Not sure about samba - there could be problems with discovery, but don't quote me on this.

    Or maybe you wanted this ?

    Net A
    new box == old router =*=*= whatever
    Net B

    Funny, but also easy.

  3. #3

    Re: 4NICs and Iptables

    I had thought of this, and it would be simpler, but I don't know whether the router filters the interface or the subnet. I have no control over it. If it goes by interface then 2 external NICs would be needed.
    I'm going to see if I can find out, but they may be reluctant to part with the info.

    I suppose I could mess with the patch cables to find out, but I don't want to get a slapped wrist, so I have to be careful. (That make's it sound like I'm doing some thing I shouldn't, I'm not honest)

    Would I really need samba? the networks don't have to see/browse the box. I thought the IPs would be sufficiant.

  4. #4

    Re: 4NICs and Iptables

    but I don't know whether the router filters the interface or the subnet
    ??? I can't say I fully understand. The router usually does filtering based on source and destination address. What do you mean by "filter the interface" and "filter the subnet" ? If you're able to replace the router with your box a simply don't see a reason for using more that 3 NICs. If you're just going to "shortcut" network A with network B, then well, 4 NICs would be very handy.

    Would I really need samba? the networks don't have to see/browse the box. I thought the IPs would be sufficiant.
    How am I supposed to know ? You never told us what the network is for (is it a windows network, an NFS network, or is it just for the web/something else).

  5. #5

    Re: 4NICs and Iptables

    sorry didn't mean to seem arsey.

    and the current router has 2 RJ45 ports, one for each network. I'd have to use it because it's connected by an X21 cable to the line. (I [s]probably[/s] should have said adapter not interface)

    I can't prat around with it because it's part of a council project with hundereds of simmilar sites. I don't expect to be given special treatment. So I wanted something I could plug in and not need them to do anything, and that way if something goes wrong I can whip the cables over, change the deafault gateway, and away she goes again (all be it with the lag from hell)

    Thanks for the sugestions though.

  6. #6

    Re: 4NICs and Iptables

    Net A
    new box == old router =*=*= whatever
    Net B
    I assume this is the configuration you want to use. I don't fully understand what you're wanting to do here, but I'll assume it works out like above. First of all, if you set it up like above, the old router won't be doing any filtering between the two networks period. The new router will be doing all the work. The old router will only hook the new router to the internet.

    Second, statefulness is irrelevant when it comes to routing. It's only relevant for firewalling. (Well... not completely true but mostly.) If you only want network A to be able to access a particular computer (server) on network B, you can do so in your routing tables. If you only want it to be able to reach a certain port on that server, you can do so. But unless these two networks are very untrusting of each other, I wouldn't even try to incorporate statefulness into the routing and make things extremely confusing.

    Finally, I could probably come up with some iptables rules that would do all the routing you need, but I'd need more info on the IP scheme (including whether or not IP masquerading is taking place) and how much the two networks are allowed to talk to each other. Maybe then I can whip something up with my iptables knowledge.

Similar Threads

  1. iptables
    By digitalspy99 in forum Linux - General Topics
    Replies: 1
    Last Post: 08-05-2008, 03:42 AM
  2. Need help with iptables
    By Pioneo in forum Linux - Software, Applications & Programming
    Replies: 17
    Last Post: 04-28-2008, 01:33 AM
  3. GUI for iptables???
    By SwampDonkey in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 12-13-2002, 12:50 PM
  4. Where do iptables go?
    By flashingcurser in forum Linux - Software, Applications & Programming
    Replies: 3
    Last Post: 08-14-2002, 08:37 PM
  5. iptables
    By elovkoff in forum Security
    Replies: 9
    Last Post: 03-19-2002, 02:23 PM


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts