hulken
asked on
Routing question
I have Thre machines. A, B, C
A and B are connected directly to internet.
Both A and B have 2 networkcards and are connected to C on a local
network.
A is running ipmasquerading So machine C can reach internet.
(Machine B is also running ipmasqueradeing but machine C has machine A as
default gw)
It looks like this:
Machine A: eth1 130.X.Y.Z eth0 10.0.0.2
Machine B: eth0 130.X.V.W eth1 10.0.0.3
Machine C eth0 10.0.0.4
The network works fine. But I have one problem.
If I try to forward some ports from Machine A to Machine C it works fine.
(/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.Y.Z 80 -R 10.0.0.4 80 -p
1)
But It does't work to forward the port to Machine B (10.0.0.3)
I have a www-server running and working on port 80 at Machine B and I can
reach it from Machine A.
It doesn't work To forward port 80 from Machine B to Machine C.
If I try to telnet to port 23 on machine B from machine A I get
connection, but If I do a
/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.V.W 25 -R 10.0.0.4 25
-p 1
If I use the same command from Machine A I can telnet to port 25 from
machine B and get forward to Machine C and port 25.
Machine A and B are using the same Kernel and has the same Network and
IP-Masquerading configurations .Someone told me that the problem can be that The packets from B to the world don't go through A,
so they cannot be properly "demasqueraded".
I've heard that mabe It can be solved like this:
Assign another 10.x.x.x IP address to the machine C and forward
(possilbly more) ports from machine B to this new IP address of machine
C. And then setup "routing-by-source" on machine C, which says that the
packets which have the new local IP addres should be routed via machine
B instead of machine A, which is the default gateway otherwise.
How can I set up this routing by source?? Can someone help me??
ASKER
OK! Here is My rules on machine 1.
The only differens from machine 1 to machine 2 is this:
INSIDE=10.0.0.3
INSIDE_DEVICE=eth1
DEVICE=eth0
IPADDR=130.X.V.W/24
And the row about ping
ipchains -A input -s 130.X.Y.Z echo-request -p icmp -j ACCEPT
But I like to know how to set up routing by sourse also...
#!/bin/sh -x
echo 1 > /proc/sys/net/ipv4/ip_forw
PATH=/sbin:/usr/bin:/bin
#//--|--------------------
#//--| Default timeouts
#//--|--------------------
ipchains -M -S 3600 3600 3600
#//--|--------------------
#//--| Internal interface
#//--|--------------------
INSIDE=10.0.0.2
INSIDE_DEVICE=eth0
#//--|--------------------
#//--| External interface
#//--|--------------------
DEVICE=eth1
IPADDR=130.X.Y.Z/24
PRIVATE_NETWORK=10.0.0.0/8
#//--|--------------------
#//--| Defaul policy is deny. Flush all chains.
#//--|--------------------
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
ipchains -F
#//--|--------------------
#//--| Ignore noise on uplink device.
#//--|--------------------
ipchains -A input -i $DEVICE -d ! $IPADDR -j DENY
#//--|--------------------
#//--| Count SYN packets, total packets, packets on each interface
#//--|--------------------
ipchains -A input -p tcp -y -l
ipchains -A output -p tcp -y -l
ipchains -A input
ipchains -A output
ipchains -A input -i lo
ipchains -A output -i lo
ipchains -A input -i eth0
ipchains -A output -i eth0
ipchains -A input -i eth1
ipchains -A output -i eth1
#//--|--------------------
#//--| Allow only localhost and local IP addresses on loopback.
#//--| Localnet addresses should not appear anywhere else.
#//--|--------------------
ipchains -A input -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A input -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A input -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A input -i lo -j DENY -l
ipchains -A input -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l
#//--|--------------------
#//--| Ditto for output.
#//--|--------------------
ipchains -A output -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A output -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A output -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A output -i lo -j DENY -l
ipchains -A output -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l
#//--|--------------------
#//--| Internal network addresses only on internal side
#//--|--------------------
ipchains -A input -i $INSIDE_DEVICE -s $PRIVATE_NETWORK -j ACCEPT
ipchains -A output -i $INSIDE_DEVICE -d $PRIVATE_NETWORK -j ACCEPT
#//--|--------------------
#//--| Internal network addresses on internal network only.
#//--|--------------------
ipchains -A input -s $PRIVATE_NETWORK -j DENY -l -b
ipchains -A output -s $PRIVATE_NETWORK -j DENY -l -b
#//--|--------------------
#//--| Allow traffic from outside world.
#//--| TCP ports for local clients are defined in
#//--| /proc/sys/net/ipv4/ip_loca
#//--| and are 1024:4999 by default.
#//--| 61000:65095 are for masquerade.
#//--| ICMP 0 and 8 are ping, 3 and 11 are TCP and UDP messages
#//--|--------------------
#//--|--------------------
#//--| Allow ssh and ftp
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 20:22 -p tcp -j ACCEPT
#//--|--------------------
#//--| Allow connections to sendmail
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 25 -p tcp -j ACCEPT
#//--|--------------------
#//--| Allow connections to my www-server
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 80 -p tcp -j ACCEPT
#//--|--------------------
#//--| DNS
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR :53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR :53 -p udp -j ACCEPT
#//--|--------------------
#//--| Ident
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 113 -p tcp -j ACCEPT
#//--|--------------------
#//--| Samba
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 137:139 -p tcp -j ACCEPT
#//--|--------------------
#//--| Tcp ports for local clients
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 1024:2048 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 2050:4999 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 1024:2048 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 2050:4999 -p udp -j ACCEPT
#//--|--------------------
#//--| My forwarded ports
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 8000 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 8020 -p tcp -j ACCEPT
#//--|--------------------
#//--| Masquradeing
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 61000:65535 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 61000:65095 -p udp -j ACCEPT
#//--|--------------------
#//--| Some ports to deny
#//--|--------------------
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 1433 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 1433 -p udp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 2049 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 2049 -p udp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 5432 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 5432 -p udp -j DENY
#//--|--------------------
#//--| Icq
#//--|--------------------
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 4000 -p udp -j ACCEPT
ipchains -A output -i $DEVICE -s 0/0 -d 0/0 4000 -p udp -j ACCEPT
#//--|--------------------
#//--| quake world
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 26000 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 27500 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 28000 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 29000 -p udp -j ACCEPT
#//--|--------------------
#//--| ping on localnet
#//--|--------------------
ipchains -A input -s 10.0.0.0/24 echo-request -p icmp -j ACCEPT
#//--|--------------------
#//--| Ping from my other machine
#//--|--------------------
ipchains -A input -s 130.X.V.W echo-request -p icmp -j ACCEPT
#//--|--------------------
#//--| ICMP TRAFIC
#//--|--------------------
ipchains -A input -i $DEVICE -s 0/0 0 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 3 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 11 -d $IPADDR -p icmp -j ACCEPT
#//--|--------------------
#//--| Reject ping
#//--|--------------------
ipchains -A input -s 0/0 echo-request -p icmp -j REJECT
#//--|--------------------
#//--| Reject trafic to doubleclick.net
#//--|--------------------
ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
#//--|--------------------
#//--| No control over outbound trafic
#//--|--------------------
ipchains -A output -i $DEVICE -s $IPADDR -j ACCEPT
#//--|--------------------
#//--| Not a gateway onto private network. This stops an IP spoofing
#//--| attack if it somehow gets through all the filtering above.
#//--|--------------------
ipchains -A forward -s $PRIVATE_NETWORK -d $PRIVATE_NETWORK -j DENY -l
#//--|--------------------
#//--| Forward and masquerade private network to the world
#//--|--------------------
ipchains -A forward -s $PRIVATE_NETWORK -j MASQ
#//--|--------------------
#//--| ip-spoofing protection
#//--|--------------------
ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY
#//--|--------------------
#//--| Report any other packets that are denied.
#//--| Useful for debugging (-l logs these to the kernel syslog)
#//--|--------------------
ipchains -A input -j DENY # -l
ipchains -A output -j DENY # -l
ipchains -A forward -j DENY #-l
#//--|--------------------
#//--| Some portforwarding to my local machine
#//--|--------------------
/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.Y.Z 80 -R 10.0.0.4 80 -p 1
The only differens from machine 1 to machine 2 is this:
INSIDE=10.0.0.3
INSIDE_DEVICE=eth1
DEVICE=eth0
IPADDR=130.X.V.W/24
And the row about ping
ipchains -A input -s 130.X.Y.Z echo-request -p icmp -j ACCEPT
But I like to know how to set up routing by sourse also...
#!/bin/sh -x
echo 1 > /proc/sys/net/ipv4/ip_forw
PATH=/sbin:/usr/bin:/bin
#//--|--------------------
#//--| Default timeouts
#//--|--------------------
ipchains -M -S 3600 3600 3600
#//--|--------------------
#//--| Internal interface
#//--|--------------------
INSIDE=10.0.0.2
INSIDE_DEVICE=eth0
#//--|--------------------
#//--| External interface
#//--|--------------------
DEVICE=eth1
IPADDR=130.X.Y.Z/24
PRIVATE_NETWORK=10.0.0.0/8
#//--|--------------------
#//--| Defaul policy is deny. Flush all chains.
#//--|--------------------
ipchains -P input DENY
ipchains -P output DENY
ipchains -P forward DENY
ipchains -F
#//--|--------------------
#//--| Ignore noise on uplink device.
#//--|--------------------
ipchains -A input -i $DEVICE -d ! $IPADDR -j DENY
#//--|--------------------
#//--| Count SYN packets, total packets, packets on each interface
#//--|--------------------
ipchains -A input -p tcp -y -l
ipchains -A output -p tcp -y -l
ipchains -A input
ipchains -A output
ipchains -A input -i lo
ipchains -A output -i lo
ipchains -A input -i eth0
ipchains -A output -i eth0
ipchains -A input -i eth1
ipchains -A output -i eth1
#//--|--------------------
#//--| Allow only localhost and local IP addresses on loopback.
#//--| Localnet addresses should not appear anywhere else.
#//--|--------------------
ipchains -A input -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A input -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A input -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A input -i lo -j DENY -l
ipchains -A input -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l
#//--|--------------------
#//--| Ditto for output.
#//--|--------------------
ipchains -A output -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
ipchains -A output -i lo -s $IPADDR -d $IPADDR -j ACCEPT
ipchains -A output -i lo -s $INSIDE -d $INSIDE -j ACCEPT
ipchains -A output -i lo -j DENY -l
ipchains -A output -s 127.0.0.0/8 -d 127.0.0.0/8 -j DENY -l
#//--|--------------------
#//--| Internal network addresses only on internal side
#//--|--------------------
ipchains -A input -i $INSIDE_DEVICE -s $PRIVATE_NETWORK -j ACCEPT
ipchains -A output -i $INSIDE_DEVICE -d $PRIVATE_NETWORK -j ACCEPT
#//--|--------------------
#//--| Internal network addresses on internal network only.
#//--|--------------------
ipchains -A input -s $PRIVATE_NETWORK -j DENY -l -b
ipchains -A output -s $PRIVATE_NETWORK -j DENY -l -b
#//--|--------------------
#//--| Allow traffic from outside world.
#//--| TCP ports for local clients are defined in
#//--| /proc/sys/net/ipv4/ip_loca
#//--| and are 1024:4999 by default.
#//--| 61000:65095 are for masquerade.
#//--| ICMP 0 and 8 are ping, 3 and 11 are TCP and UDP messages
#//--|--------------------
#//--|--------------------
#//--| Allow ssh and ftp
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 20:22 -p tcp -j ACCEPT
#//--|--------------------
#//--| Allow connections to sendmail
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 25 -p tcp -j ACCEPT
#//--|--------------------
#//--| Allow connections to my www-server
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 80 -p tcp -j ACCEPT
#//--|--------------------
#//--| DNS
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR :53 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR :53 -p udp -j ACCEPT
#//--|--------------------
#//--| Ident
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 113 -p tcp -j ACCEPT
#//--|--------------------
#//--| Samba
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 137:139 -p tcp -j ACCEPT
#//--|--------------------
#//--| Tcp ports for local clients
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 1024:2048 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 2050:4999 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 1024:2048 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 2050:4999 -p udp -j ACCEPT
#//--|--------------------
#//--| My forwarded ports
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 8000 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 8020 -p tcp -j ACCEPT
#//--|--------------------
#//--| Masquradeing
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 61000:65535 -p tcp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 61000:65095 -p udp -j ACCEPT
#//--|--------------------
#//--| Some ports to deny
#//--|--------------------
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 1433 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 1433 -p udp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 2049 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 2049 -p udp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 5432 -p tcp -j DENY
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 5432 -p udp -j DENY
#//--|--------------------
#//--| Icq
#//--|--------------------
ipchains -A input -i $DEVICE -s 0/0 -d 0/0 4000 -p udp -j ACCEPT
ipchains -A output -i $DEVICE -s 0/0 -d 0/0 4000 -p udp -j ACCEPT
#//--|--------------------
#//--| quake world
#//--|--------------------
ipchains -A input -i $DEVICE -d $IPADDR 26000 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 27500 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 28000 -p udp -j ACCEPT
ipchains -A input -i $DEVICE -d $IPADDR 29000 -p udp -j ACCEPT
#//--|--------------------
#//--| ping on localnet
#//--|--------------------
ipchains -A input -s 10.0.0.0/24 echo-request -p icmp -j ACCEPT
#//--|--------------------
#//--| Ping from my other machine
#//--|--------------------
ipchains -A input -s 130.X.V.W echo-request -p icmp -j ACCEPT
#//--|--------------------
#//--| ICMP TRAFIC
#//--|--------------------
ipchains -A input -i $DEVICE -s 0/0 0 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 3 -d $IPADDR -p icmp -j ACCEPT
ipchains -A input -i $DEVICE -s 0/0 11 -d $IPADDR -p icmp -j ACCEPT
#//--|--------------------
#//--| Reject ping
#//--|--------------------
ipchains -A input -s 0/0 echo-request -p icmp -j REJECT
#//--|--------------------
#//--| Reject trafic to doubleclick.net
#//--|--------------------
ipchains -A output -d 199.95.207.0/24 -j REJECT
ipchains -A output -d 199.95.208.0/24 -j REJECT
#//--|--------------------
#//--| No control over outbound trafic
#//--|--------------------
ipchains -A output -i $DEVICE -s $IPADDR -j ACCEPT
#//--|--------------------
#//--| Not a gateway onto private network. This stops an IP spoofing
#//--| attack if it somehow gets through all the filtering above.
#//--|--------------------
ipchains -A forward -s $PRIVATE_NETWORK -d $PRIVATE_NETWORK -j DENY -l
#//--|--------------------
#//--| Forward and masquerade private network to the world
#//--|--------------------
ipchains -A forward -s $PRIVATE_NETWORK -j MASQ
#//--|--------------------
#//--| ip-spoofing protection
#//--|--------------------
ipchains -A input -i eth1 -s 10.0.0.0/8 -j DENY
#//--|--------------------
#//--| Report any other packets that are denied.
#//--| Useful for debugging (-l logs these to the kernel syslog)
#//--|--------------------
ipchains -A input -j DENY # -l
ipchains -A output -j DENY # -l
ipchains -A forward -j DENY #-l
#//--|--------------------
#//--| Some portforwarding to my local machine
#//--|--------------------
/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.Y.Z 80 -R 10.0.0.4 80 -p 1
ASKER
And this is different to:
/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.V.W 80 -R 10.0.0.4 80 -p 1
/usr/sbin/ipmasqadm portfw -a -P tcp -L 130.X.V.W 80 -R 10.0.0.4 80 -p 1
ASKER
Btw. Forwarding from Machine B to machine C works if I change default gateway to 10.0.0.3 so I need routing by source on machine C, which says that the
packets which have the new local IP addres should be routed via machine
B instead of machine A, which is the default gateway otherwise.
packets which have the new local IP addres should be routed via machine
B instead of machine A, which is the default gateway otherwise.
It seems to me that the new (advanced) routing policies of the 2.2 kernel should work for you
[ unfortunately, i am using a 2.0.34 kernel so cannot test
what I will be writing here... ]
ok, first you need kernel version > 2.1.14 (I think)
since you are using ipchains, you probably have it
else use 2.2 kernel
then you have to obtain the mentioned ip-routing package
(if you do not already have it. I think it is included in
the debian distribution)
the original site is ftp://ftp.inr.ac.ru/ip-routing
however, I found the link ftp://linux.wauug.org/pub/net/ip-routing/
much faster.
download and compile the ip-route2-current.tar.gz
and compile it. (this I have not done! so you are on your own here...)
you should now have an 'ip' utility and
using the ip route ...
commands you can set the routing tables of your C machine.
OOPS! I nearly forgot!
first you should use the IP Alias mechanism to define two IP addresses to your machine C. (setting up IP aliasing is described in IPAlias mini-HOWTO, basically you compile it to the kernel or as a module and insmod it)
then you can set up two IP addresses on the same ethernet card like:
/sbin/ifconfig lo 127.0.0.1
/sbin/ifconfig eth0 up
/sbin/ifconfig eth0 10.0.0.4
/sbin/ifconfig eth0:0 10.0.0.5
so you have two IP addresses on C.
with your new ip-route utility, you can configure
different gateways for these addresses...
// default gateway through A
ip rule add from 10.0.0.4\24 table 1
ip route add default table 1 via 10.0.0.2
// default gateway through B
ip rule add from 10.0.0.5\24 table 2
ip route add default table 2 via 10.0.0.5
Note: I assume that these would work (I checked the sources)
but have not tried them .
[The linux/Documentation/networ
gives a different syntax but the sources say otherwise!]
hope it helps ...
Can
[ unfortunately, i am using a 2.0.34 kernel so cannot test
what I will be writing here... ]
ok, first you need kernel version > 2.1.14 (I think)
since you are using ipchains, you probably have it
else use 2.2 kernel
then you have to obtain the mentioned ip-routing package
(if you do not already have it. I think it is included in
the debian distribution)
the original site is ftp://ftp.inr.ac.ru/ip-routing
however, I found the link ftp://linux.wauug.org/pub/net/ip-routing/
much faster.
download and compile the ip-route2-current.tar.gz
and compile it. (this I have not done! so you are on your own here...)
you should now have an 'ip' utility and
using the ip route ...
commands you can set the routing tables of your C machine.
OOPS! I nearly forgot!
first you should use the IP Alias mechanism to define two IP addresses to your machine C. (setting up IP aliasing is described in IPAlias mini-HOWTO, basically you compile it to the kernel or as a module and insmod it)
then you can set up two IP addresses on the same ethernet card like:
/sbin/ifconfig lo 127.0.0.1
/sbin/ifconfig eth0 up
/sbin/ifconfig eth0 10.0.0.4
/sbin/ifconfig eth0:0 10.0.0.5
so you have two IP addresses on C.
with your new ip-route utility, you can configure
different gateways for these addresses...
// default gateway through A
ip rule add from 10.0.0.4\24 table 1
ip route add default table 1 via 10.0.0.2
// default gateway through B
ip rule add from 10.0.0.5\24 table 2
ip route add default table 2 via 10.0.0.5
Note: I assume that these would work (I checked the sources)
but have not tried them .
[The linux/Documentation/networ
gives a different syntax but the sources say otherwise!]
hope it helps ...
Can
ASKER
mark the question as answerd......
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
IP-Masquerading configurations .
If this is really true, you may run into problems.
They must be different in forwarding or you have a loop somewhere.
Or they block each other, somehow.
Without having the cmplete rules it might difficult to point out the problem.