6.5. IP Masquerading multiple internal networks
Masquerading more than one internal network is fairly simple. You need to
first make sure that all of your networks are running correctly (both internal
and external). You then need to enable traffic to pass to both the other internal
interfaces and to be MASQed to the Internet.
Next, you need to enable Masquerading on the INTERNAL interfaces. This
example uses a total of THREE interfaces: EXTIF stands for the eth0 interface
which is the EXTERNAL connection to the Internet. INTIF stands for the eth1 interface
and is the 192.168.0.0 network. Finally, INTIF2 stands for the eth2 interface and
is the 192.168.1.0 network. Both INTIF and INTIF2 will be MASQed out of
interface eth0 or EXTIF. In your rc.firewall-* ruleset next to the existing
MASQ at the very end of the ruleset, add the following:
6.5.1. iptables support for multiple internal lans
# 2.6.x and 2.4.x kernels with IPTABLES
#
# The following rules build upon the rc.firewall-iptables-stronger ruleset.
# Please see that ruleset in Section 6 for how all variables get set, etc.
#Enable internal interfaces to communication between each other
#
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
|
6.5.2. ipchains support for multiple internal lans
# 2.2.x kernels with IPCHAINS
#
# The following rules build upon the rc.firewall-ipchains-stronger ruleset.
# Please see that ruleset in Section 6 for how all variables get set, etc.
#Enable internal interfaces to communication between each other
$IPCHAINS -A forward -i eth1 -d 192.168.0.0/24 -j ACCEPT
$IPCHAINS -A forward -i eth2 -d 192.168.1.0/24 -j ACCEPT
#Enable internal interfaces to MASQ out to the Internet
$IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
$IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0
|
6.5.3. ipfwadm support for multiple internal lans
# 2.0.x kernels with IPFWADM
#
# The following rules build upon the rc.firewall-ipfwadm-stronger ruleset.
# Please see that ruleset in Section 6 for how all variables get set, etc.
#Enable internal interfaces to communication between each other
/sbin/ipfwadm -F -a accept -V 192.168.0.1 -D 192.168.1.0/24
/sbin/ipfwadm -F -a accept -V 192.168.1.1 -D 192.168.0.0/24
#Enable internal interfaces to MASQ out to the Internet
/sbin/ipfwadm -F -a masq -W eth0 -S 192.168.0.0/24 -D 0.0.0.0/0
/sbin/ipfwadm -F -a masq -W eth0 -S 192.168.1.0/24 -D 0.0.0.0/0
|
Please note that it is CORRECT to have "eth0" specified multiple times for the
exmples shown above. The reason for this is the Linux kernel needs to know
which interface is used for OUTGOING traffic. Since eth0 in the above examples
is the Internet connection, it is listed for each internal interface.