Help adding a 2nd local network to firewall.stronger
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
But I recently rebuilt my home server and added a third NIC for a separate
LAN here for testing. I'd like the 2 local LANs to use the external interface for Internet traffic (obviously) but to not be able to talk to each other. I tried to add extra lines to the script by creating a INTIF2, INTNET2, and a INTIP2 in the script and just mirroring the INTIF, INTNET, INTIP lines for it but that did not seem to work - do I need to add a route in there for the new network as well, or am I missing something in my firewall script? The original LAN works great - it's just adding a second LAN subnet that's troubling me.
Thanks in advance.
I think I need to add a route for the new network to allow devices on the 192.168.100.x network to access the Internet. Here's my current routing table:
Code:
[root@home ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
78.61.257.152 0.0.0.0 255.255.255.248 U 0 0 0 eth2
172.16.55.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet8
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.76.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.16.250.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
0.0.0.0 78.61.257.153 0.0.0.0 UG 0 0 0 eth2
(IPs changed for protection - yes I know one is invalid!)
Would adding a route for this network (192.168.100.x) be all I need, and if so what would the command be? I have the 192.168.76.x network working exactly the way I want it and have DHCP set up for both networks now.
Thanks!
This illustrates the problem with depending on other people's scripts: the one you have referred to only knows about one external interface and one internal interface. Since your system does not conform to that description, it is unsurprising that it doesn't work.
You do not need to add any routes to your routing table; the networking section of the kernel already knows that you have connectivity to the network 192.168.100.x.
You DO need to improve the rules generated by your script to allow traffic that arrives from the outside world back through your firewall when it is destined for your new network interface. This means that you will need to visit how you are doing SNAT for outbound traffic (a cursory look indicates that is OK as is), and how returning traffic is filtered (the same cursory look indicates that there may be a problem here).
To get the best advice, I recommend that you do not obscure your network setup; that is why you are using a firewall in the first place. I further recommend that you post the resulting iptables rules (in numeric form), rather than asking us to infer them from a script. It makes diagnosis so much easier when one has reliable data upon which to make a diagnosis.
At least you stated one thing useful there, that I did not need to add a route.
After playing around a little I found that with my modifications that traffic was going out, but not coming back. I adjusted the script to fit my needs and posted it here in case anyone else needs something similar.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.