[Gllug] Routing and packetfiltering public IPs

Russell Howe rhowe at siksai.co.uk
Mon Nov 28 11:28:25 UTC 2005


On Sat, Nov 26, 2005 at 04:49:01AM +0000, Dylan wrote:
> Hi All, 
> 
> I currently run a network comprising several desktop machines, a server 
> and a gateway connected to the wild by ADSL. The fixed public IP is 
> passed to the gateway's external interface by the ADSL router and the 
> gateway does packet filtering, NAT, etc... The ADSL router will only 
> connect to one machine when it is in bridging mode.
> 
> I'm looking to get an 8 IP block but I'm not at all clear as to how to 
> configure the gateway for them. There are more machines on the internal 
> network than available IP addresses (5 addresses, discounting the 
> network address, broadcast and router, and eight machines.) I intend to 
> assign the addresses to a DMZ mail and ftp server and the remaining 4 
> to four of the desktop boxes.

You could do what I do, and cheat...

My address range is 82.133.8.8/29 (6 usable addresses, one network, one
broadcast) and my ISP routes it through my static IP address they assign
to the PPP connection (82.133.120.56).

I configure my LAN to be 82.133.8.0/24, and I can then use all 8
addresses on the LAN, although this means that I can no longer access
82.133.8.[0-7] or .[16-255] (nor can they access me). You could probably
live quite happily with that.. those addresses are likely to be other
users at your ISP and may not even be assigned.

If, like me, you consider that to be utterly broken and nasty, just make
your gateway proxyarp for those addresses on your LAN segment, and add
routes for the ranges to the internet. That way if one of my LAN boxes
tries to (say) contact 82.133.8.3, then my gateway will give an ARP
response and pass the packets off onto the internet to be responded to.

With this scenario, you still have two addresses on the internet you
cannot contact, but since they'e 82.133.8.0 and 82.133.8.255, it's quite
likely those addresses aren't assigned to a host anyway, so you're not
missing out on anything.

This is my /etc/network/interfaces file on my gateway. You'll see
that it's not quite as I described (I'm using a /28, not a /24, and my
default route is actually my second gateway box, which is the other side
of a wifi link), but the idea is generally the same.

I think with the 'arp' command you can specify a netmask, so it should
be possible to replace all the entries below with a single command, I
think.

auto ath0
iface ath0 inet static
        address 192.168.254.2
        netmask 255.255.255.0
        broadcast 192.168.254.255
        gateway 192.168.254.1
        pre-up /sbin/modprobe ath_pci
        pre-up /sbin/iwpriv ath0 mode 3
        pre-up /sbin/iwconfig ath0 essid "no127" mode managed
        up route add -net 82.133.8.0 netmask 255.255.255.248 gw 192.168.254.1
        up route add -net 82.133.8.16 netmask 255.255.255.240 gw 192.168.254.1
        up arp -Ds 82.133.8.1 eth0 pub
        up arp -Ds 82.133.8.2 eth0 pub
        up arp -Ds 82.133.8.3 eth0 pub
        up arp -Ds 82.133.8.4 eth0 pub
        up arp -Ds 82.133.8.5 eth0 pub
        up arp -Ds 82.133.8.6 eth0 pub
        up arp -Ds 82.133.8.7 eth0 pub
        up /usr/local/sbin/mywshaper.htb start ath0 1800 220

auto eth0
iface eth0 inet static
        address 82.133.8.14
        netmask 255.255.255.224
        broadcast 82.133.8.15

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list