Kevin F. Berrien wrote: | | "external subnet" - eth0 - 192.168.50.0 | gatway to internet - 192.168.50.1 | eth0 ip 192.168.50.48/255.255.255.0 gw = 192.168.50.1 | | "internal subnet" - eth1 - 192.168.5.0 | eth1 ip 192.168.5.200/255.255.255.0 gw = 192.168.50.1?? | | test host "internal" | ip 192.168.5.3/255.255.255.0 gw = 192.168.5.200?? | <<-- snip -->>
a) make a route in 192.168.50.1 that routes traffic for 192.168.5.0 to your IP of 192.168.50.48... This will allow your gateway server/router to route packets to this additional network properly.
Remember that the 192.168.0.0/16 space is reserved for private IP addresses. The Internet gateway *cannot* receive traffic from the open Internet destined to a 192.168.x.y address... it would be invalid or spoofed. The Internet gateway should instead enable masquerading for all outbound traffic received from 192.168.50.48. Return traffic will be allowed automatically. One easy solution is that the internal server can also enable masquerading via eth0 for all traffic received from eth1.
Two masquerading layers, but the solution should work pretty much transparently *AS LONG AS* you don't need or want people on the Internet to be able to reach those internal machines. If such a thing is desirable, you'll have to add additional DNAT rules to both firewalls.
b) I don't believe you need a gateway for eth1. I could be wrong....
You don't. When you have multiple devices like this, each device should have its gateway for the local network (or no gateway if *it* is the gateway), and then you should have a statement like this in your /etc/sysconfig/network file:
GATEWAYDEV=eth0
So eth0 should have 192.168.50.1 as its gateway for the 192.168.50.0/24 network on which it participates, and eth1 does not need a gateway since it *is* the gateway. The GATEWAYDEV line will tell Linux how to route packets to the default route correctly. Note that all other machines on the 192.168.5.0/24 subnet *do* need to have 192.168.5.3 as their gateway.
I just set up something like this yesterday. One subnet (192.168.200.0/24) allows outbound masquerading *only* for ports 80 and 443 via a Fedora Core 2 box with Shorewall and two interfaces. The external interface is part of a larger office whose firewall (also FC2+Shorewall) allows outbound masquerading to the Internet. Incoming access to port 80 for one box is permitted via a DNAT rule in Shorewall. Works like a charm, piece of cake.
Cheers,
-- Rodolfo J. Paiz rpaiz@xxxxxxxxxxxxxx http://www.simpaticus.com
