I have only basic knowledge in Unix but I'm eager to learn.
I have a new complex (for me) exercice and I have no idea how to start.
I have a regular network on witch I'm trying to plug another network.
Here is an image of the physical network.
On the left is the original, three-node, standard, home network (192.168.1.0 / 255.255.255.0): An internet box (192.168.1.1), my computer (192.168.1.32) and a server (cassiopeia 192.168.1.224).
I've added two ethernet adapters to cassiopeia.
[list]
One belongs to the top right network (172.16.199.0 / 255.255.255.0): a four-node network with cassiopeia (172.16.199.1) and 3 machines (172.16.199.151..153)
The second belongs to the bottom right network (172.16.70.0 / 255.255.255.0): a two-node network that could host more machines but I'm laking a switch.
[/list]
All three networks work fine and all machines within the same network can communicate.
What I need is to set cassiopeia (a GNU/Linux Debian) to enable communication between networks:
Set cassiopeia as gateway to the internet for 172.16.199.xxx
Set cassiopeia as gateway to the internet for 172.16.70.1
Set cassiopeia as a link between the two 172.16 networks
Let me give more specific needs:
When 172.16.70.151 requests something like 172.16.199.152, it stays in the top right network
When 172.16.70.151 requests something like 172.16.70.1, it's routed to the bottom right network
When 172.16.70.151 requests something like Google, it's routed to the internet box
When 172.16.70.1 requests something like 172.16.199.151, it's routed to the top right network
When 172.16.70.1 requests something like Google, it's routed to the internet box
Now comes my question:
What should I install on cassiopeia (GNU/Linux Debian) to serve my needs? Is is a gateway, a router or what? Do you know free softwares? Do you know man pages to help me configure it?
Since it's all private IP addresses, simple IP forwarding should be enough. In /etc/sysctl.conf, set net.ipv4.ip_forward = 1 , and to enable it right away, type
Thanks pludi.
Your answer looked great ! But it doesn't work.
So far I found out that there might be no software to install.
Just activate ip_forwarding (as you said) and set some iptables.
This second part seems to be the most important and I have no idea how it works.
However, I found a manual that looks pretty well documented here.
If anyone has any advice, I'd be very happy.
Santiago
The configuration of iptables is extremely simple.
iptables -t nat -A POSTROUTING -j MASQUERADE
It actually means that any packet coming from any interface and going to any other one will be masqueraded.
First I have no idea what masqueraded means but I assume it is something like modifying the packet so that it's in conformity with the new network it is sent through.
Second, I understand that this means no limitation, no control and no secutity at all in the network traffic but as you said, it's all local networks and the internet box is (hopefully) doing a proper job.
Masquerading is a form of network address translation (NAT). Outside of iptables, masquerading is also commonly called port address translation (PAT). Any packet which leaves a particular interface of the router will have its IP header modified to use the source IP address of the exit interfaced used on the router. Try looking up PAT on wikipedia for a good description.
With your configuration of iptables, any packet leaving any interface on the router should take on the address of the interface which it left. I would think hosts on both of the 172 networks would have problems with reply traffic from hosts on different networks, and nodes on the 192 network would not be able to access hosts on the 172 network but would be able to reach the Internet.
As an example, suppose a PC on the 172.16.70.0 network pings the PC on the 192 network.
When the packet hits the router and is routed to the 192 network, the packet is NATed, and its source IP address changes to 192.168.1.224. The PC on the 192 network gets the ping, and replies to it normally (with a destination IP address of 192.168.1.224).
The router forwards the packet back to the ping originator on the 172 network, but masquerades the source IP address to 172.16.70.254 as it sends it out that interface. The PC on the 172 network is waiting for a reply from 192.168.1.32 -- getting an echo reply from 172.16.70.254 would sound like bogus traffic. Thus, it never receives a reply from the 192 node and you get an error message.
Unless my thinking is fuzzy or iptables is doing something else behind the scenes, it would sound like you only want to masquerade for traffic going out of the 192 interface of the router. Try it out and see if it works as it is. If not, you can tell iptables to only masquerade for traffic leaving the 192 interface by using the '-o <INTERFACE NAME>' option within the iptables command string you posted earlier.
Second, I understand that this means no limitation, no control and no secutity at all in the network traffic
Oh yeah, netfilter/iptables means packets limitation, traffic control and high security for the network.
The only device that is able to interconnect two logical networks is a router, so you want to interconnect three networks, then what you need is a router.
With iptables you can easily set up a router/firewall device for your network. It's included with Linux, so you don't have to pay or download anything at all.
What i understand of your needs is to set cassiopeia host to do something like this:
So, if i'm right you'll need three network interfaces and the problem is solved, here is how you must set iptables to make this work:
