Feizhou wrote:
If your box has a link on 55.20.0.0/255.255.0.0 and then more physical links to 56.1.x.0/24 individually (machines on two separate physical networks) or one more physical link to 56.1.1.0/23 (all machines on one physical network and you are going to assign ips from 56.1.1.x and 56.1.2.x) then all you need is setup the default route of the box to 55.20.0.2, enable ip forwarding and then point the default route of all clients to the box's corresponding ip on their subnets (eg: two physical links, 56.1.1.1 and 56.1.2.1) or on their subnet (only one physical link, 56.1.1.1)
If you want to control what packets get through the box, use the iptables -t filter FORWARD chain.
That is what I thought, but it doesn't seem to be working.
Here is the routing table of the Linux Router box
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 green 192.168.8.0 * 255.255.255.0 U 0 0 0 red 169.254.0.0 * 255.255.0.0 U 0 0 0 green default 192.168.8.2 0.0.0.0 UG 0 0 0 red
I've given the real IP's this time as it is only a virtual machine.
The names probably say enought but to clarify 192.168.8.0 is the Public facing subnet (what would be in the ISP Cloud I guess), with 192.168.8.2 as the default gateway, this is pingable from the router. 192.168.1.0 is the private subnet with 192.168.8.254 as the routers internal IP. Workstations can ping the internal IP of the router but not anything outside, nor does a traceroute work.
IP Forwarding has been enabled by: "sysctl -w net.ipv4.ip_forward = 1"
The iptables rules are all clear as follows:-
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Here is the routing table from the client machine:-
Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0
From what you have said this should work fine, but I'm clearly missing something obvious that I just cannot see.
Thanks again for any help
Regards
Lee