[lug] Routing with Linux

Sean Reifschneider jafo at tummy.com
Thu Jun 29 16:49:16 MDT 2000


On Thu, Jun 29, 2000 at 04:12:10PM -0600, Bonnell, Doug wrote:
>     ipchain FORWARD 192.13.5.6/40 eth1      (net1 forwarded to net2)
>     ipchain FORWARD 207.16.8.9/37 eth0      (net2 forwarded to net1)
>
>This saves telling all the machines where packets need to go. You'll
>need routing at the individual machines on each net.

I think you misunderstand what ipchains does.  It simply tells the kernel
what packets to allow or reject.  The default policy is "accept", so adding
specific rules to allow packets from the above networks wouldn't do
anything.  It can't magicly tell all the machines on these subnets
that they should forward packets to the router.

The hosts on the networks are quite dumb.  Currently they probably know
two things:

	If I have a packet destined for the network I'm on, dump it off on that
	interface and hope for the best.

	Any other packet, send to our router (which is on the local network
	and therefore gets delivered by the above rule).

Now, you can tell that router that when it gets packets for the other
network, to forward them to the linux router that's on both networks.
That way the clients get to stay dumb.

Or, you can insert a routing rule on each of the clients so it looks like
this:

	If I have a packet destined for the network I'm on, dump it off on that
	interface and hope for the best.

	If I have a packet destined for the other network in this building,
	send it to that linux router.

	Any other packet, send to our router (which is on the local network
	and therefore gets delivered by rule %1).

>     route add -host finkel -gw rupert      (finkel on net2, rupert = net1
>Linux IP)
>
>     route add -host narn -gw turtle        (narn on net1, turtle = net2
>Linux IP)

Typicly, instead of giving different interfaces on the same machine
different names, you would name the interfaces "rupert-1" and
"rupert-2", or something like that.

Also, the above are *HOST* routes, so on every machine you would have
to add either 35 or 8 of these routes, and change them every time a
machine was added, removed, or had it's IP changed.

This is what network routes are for.  Ok, let's assume that network1
is 192.168.0.0/24, and network2 is 192.168.1.0/24.  The linux router
has the IP addresses 192.168.0.254 and 192.168.1.254.

Machines on network 1 would have:

	route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.0.254

and machines on network 2 would have:

	route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.1.254

(in other words: I don't know how to reach 192.168.0.*, but I know that
the machine at 192.168.1.254 *DOES*).

>I think of this more as a bridge than a router since it links to subnets
>together rather than a single connection to a subnet.

Careful with that terminology...  A bridge is something which links
physicly diverse parts of the *SAME* subnet.  So, if both network1
and network2 were using 192.168.0.* addresses, with a 255.255.255.0
netmask, you would be setting up a bridge.  A router (typicly) routes
between subnets -- as in this case.

My question is, if you have a machine seperating two parts of a subnet,
and you have it configured to do proxy ARP so that it looks like one big
network, is it a bridge?  It's not doing spanning tree or anything,
just proxy ARP...  :-)

Sean
-- 
 I didn't spend 6 years in evil medical school to be called *MISTER* Evil!
                 -- Dr. Evil, _Austin_Powers:_International_Man_of_Mystery_
Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python




More information about the LUG mailing list