Firewall & Routing - help!

Rodolfo J. Paiz rpaiz at
Thu Jun 10 18:07:22 UTC 2004

At 11:09 6/10/2004, James Kosin wrote:
>Kevin F. Berrien wrote:
>| "external subnet" - eth0 -
>| gatway to internet -
>| eth0 ip gw =
>| "internal subnet" - eth1 -
>| eth1 ip gw =
>| test host "internal"
>| ip gw =
><<-- snip -->>
>a)  make a route in that routes traffic for to
>your IP of  This will allow your gateway server/router
>to route packets to this additional network properly.

Remember that the space is reserved for private IP 
addresses. The Internet gateway *cannot* receive traffic from the open 
Internet destined to a 192.168.x.y address... it would be invalid or 
spoofed. The Internet gateway should instead enable masquerading for all 
outbound traffic received from Return traffic will be 
allowed automatically. One easy solution is that the internal server can 
also enable masquerading via eth0 for all traffic received from eth1.

Two masquerading layers, but the solution should work pretty much 
transparently *AS LONG AS* you don't need or want people on the Internet to 
be able to reach those internal machines. If such a thing is desirable, 
you'll have to add additional DNAT rules to both firewalls.

>b)  I don't believe you need a gateway for eth1.  I could be wrong....

You don't. When you have multiple devices like this, each device should 
have its gateway for the local network (or no gateway if *it* is the 
gateway), and then you should have a statement like this in your 
/etc/sysconfig/network file:


So eth0 should have as its gateway for the 
network on which it participates, and eth1 does not need a gateway since it 
*is* the gateway. The GATEWAYDEV line will tell Linux how to route packets 
to the default route correctly. Note that all other machines on the subnet *do* need to have as their gateway.

I just set up something like this yesterday. One subnet ( 
allows outbound masquerading *only* for ports 80 and 443 via a Fedora Core 
2 box with Shorewall and two interfaces. The external interface is part of 
a larger office whose firewall (also FC2+Shorewall) allows outbound 
masquerading to the Internet. Incoming access to port 80 for one box is 
permitted via a DNAT rule in Shorewall. Works like a charm, piece of cake.


Rodolfo J. Paiz
rpaiz at

More information about the fedora-list mailing list