IP Networking

Hi there,

I have only basic knowledge in Unix but I'm eager to learn.
I have a new complex (for me) exercice and I have no idea how to start.
I have a regular network on witch I'm trying to plug another network.

Here is an image of the physical network.

All three networks work fine and all machines within the same network can communicate.

What I need is to set cassiopeia (a GNU/Linux Debian) to enable communication between networks:
Let me give more specific needs:
So far, I have set machines like this:
Now comes my question:
What should I install on cassiopeia (GNU/Linux Debian) to serve my needs? Is is a gateway, a router or what? Do you know free softwares? Do you know man pages to help me configure it?

Thanks for your help.
Santiago

Since it's all private IP addresses, simple IP forwarding should be enough. In /etc/sysctl.conf, set net.ipv4.ip_forward = 1 , and to enable it right away, type

Code:

echo 1 > /proc/sys/net/ipv4/ip_forward

as root

Thanks pludi.
Your answer looked great ! But it doesn't work.
So far I found out that there might be no software to install.
Just activate ip_forwarding (as you said) and set some iptables.
This second part seems to be the most important and I have no idea how it works.
However, I found a manual that looks pretty well documented here.
If anyone has any advice, I'd be very happy.
Santiago

Seems like iptables are required. Shame on me for not noticing earlier.

For iptables, there's a pretty good tutorial here, with an example script for a DMZ that could be adapted.

Since the iptables rules and chain traversal aren't really intuitive, might I suggest using fwbuilder (or something similar)

Hi pludi,

The configuration of iptables is extremely simple.

Code:

iptables -t nat -A POSTROUTING -j MASQUERADE

It actually means that any packet coming from any interface and going to any other one will be masqueraded.

First I have no idea what masqueraded means but I assume it is something like modifying the packet so that it's in conformity with the new network it is sent through.

Second, I understand that this means no limitation, no control and no secutity at all in the network traffic but as you said, it's all local networks and the internet box is (hopefully) doing a proper job.

Thanks for your advices anyway
Santiago

Santiago,

Masquerading is a form of network address translation (NAT). Outside of iptables, masquerading is also commonly called port address translation (PAT). Any packet which leaves a particular interface of the router will have its IP header modified to use the source IP address of the exit interfaced used on the router. Try looking up PAT on wikipedia for a good description.

With your configuration of iptables, any packet leaving any interface on the router should take on the address of the interface which it left. I would think hosts on both of the 172 networks would have problems with reply traffic from hosts on different networks, and nodes on the 192 network would not be able to access hosts on the 172 network but would be able to reach the Internet.

As an example, suppose a PC on the 172.16.70.0 network pings the PC on the 192 network.

When the packet hits the router and is routed to the 192 network, the packet is NATed, and its source IP address changes to 192.168.1.224. The PC on the 192 network gets the ping, and replies to it normally (with a destination IP address of 192.168.1.224).

The router forwards the packet back to the ping originator on the 172 network, but masquerades the source IP address to 172.16.70.254 as it sends it out that interface. The PC on the 172 network is waiting for a reply from 192.168.1.32 -- getting an echo reply from 172.16.70.254 would sound like bogus traffic. Thus, it never receives a reply from the 192 node and you get an error message.

Unless my thinking is fuzzy or iptables is doing something else behind the scenes, it would sound like you only want to masquerade for traffic going out of the 192 interface of the router. Try it out and see if it works as it is. If not, you can tell iptables to only masquerade for traffic leaving the 192 interface by using the '-o <INTERFACE NAME>' option within the iptables command string you posted earlier.

Code:

Second, I understand that this means no limitation, no control and no secutity at all in the network traffic

Oh yeah, netfilter/iptables means packets limitation, traffic control and high security for the network.

The only device that is able to interconnect two logical networks is a router, so you want to interconnect three networks, then what you need is a router.

With iptables you can easily set up a router/firewall device for your network. It's included with Linux, so you don't have to pay or download anything at all.

What i understand of your needs is to set cassiopeia host to do something like this:


So, if i'm right you'll need three network interfaces and the problem is solved, here is how you must set iptables to make this work:

Code:

echo 1 >/proc/sys/net/ipv4/ip_forward
echo 0 >/proc/sys/net/ipv4/conf/all/send_redirecs
iptables -t nat -F
iptables -F
iptables -X
iptables -Z
iptables -A INPUT ACCEPT
iptables -A OUTPUT ACCEPT
iptables -A FORWARD ACCEPT
 
iptables -t nat -A POSTROUTING -s 172.16.199.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.16.70.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/25 -o eth2 -j MASQUERADE

I think this should work,
best regards