Hi all, I have the following network setup: mordor (GATEWAY) | SWITCH 192.168.250.0/24 ------------------------------------------------------ | | | | | sauron scooby frodo gollum gandalf (FTP/MAIL SERVER) --------(CLIENTS)--------- (FILE SERVER) | | | | --------------------------------- SWITCH 192.168.0.0/24 | audio (MUSIC SERVER) mordor performs NAT and port forwarding, iptables, proxy, ntp etc. gandalf provides NIS and nfs for the 192.168.0.0/24 network. This all ticks over quite nicely. At present, however, audio has no access to the outside (this is not posing too much of an issue at the moment, since time synchronisation is not terribly important here and I keep a YOU mirror up to date on gandalf.) I would like to give audio access to the web, however. Mainly for pulling CD contents listings from FreeDB.org. I can't dual-home audio as I have the other client machines since there are no free slots for a network card. Also, I don't want to move it to the 192.168.250.0/24 network since that would require opening NIS and nfs to that network too. As a first attempt, I set up SuSEfirewall2 on gandalf - with 192.168.250.0/24 as external and 192.168.0.0/24 internal, only protecting the external connection and doing NAT and port forwarding. While that allows audio to use gandalf as a gateway to reach mordor, it raises all sorts of difficulties for sauron communicating with gandalf (a maintenance complexity which is excessive wrt the benefit obtained.) So, can I get gandalf to act as gateway for audio, and do NAT without needing to run the full 'firewall' on the box? Ideally, I'd want gandalf to provide this service one way only (so that, for example, it would refuse to route from sauron or mordor to audio) and for the one host (so that it would not route from scooby's 192.168.0.0/24 connection, since scooby has a direct route.) I hope all that makes some kind of sense. Dylan -- "I see your Schwartz is as big as mine" -Dark Helmet
Dylan wrote:
So, can I get gandalf to act as gateway for audio, and do NAT without needing to run the full 'firewall' on the box? Ideally, I'd want gandalf to provide this service one way only (so that, for example, it would refuse to route from sauron or mordor to audio) and for the one host (so that it would not route from scooby's 192.168.0.0/24 connection, since scooby has a direct route.)
I hope all that makes some kind of sense.
The setup doesn't make much sense to me, but here are some lines that should do the trick: # eth0 192.168.0.x # eth1 192.168.200.x iptables -P FORWARD REJECT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -s !ip-of-audio -j REJECT iptables -A FORWARD -s ip-of-audio -j ACCEPT iptables -A POSTROUTING -t nat -o eth1 -i eth0 -j MASQUERADE Sandy
participants (2)
-
Dylan
-
Sandy Drobic