Re: two networks same proxy server

["Paul D. Robertson" <proberts () patriot net>]

On Mon, 24 Mar 2003, Robert E. Martin wrote:

> This may be the wrong place to ask this but here goes....
>
> I have two networks
> 192.168.98.x
> 192.168.99.x
>
> and one proxy server
> 192.168.99.10
>
> I have a Linux box, Mandrake 7 with 3 interfaces
> eth0
> eth1
> eth2
> The linux box runs ipchains as a firewall....
>
> I want the 98 and 99 network to use the same proxy server.
>
> This proxy is an iPrism appliance. I have set ip routes inside of it to 
> tell it where the networks are.
> 192.168.98.0 lives on eth2:1 192.168.99.x
>
> Also, I have tried secondary adresses on the interfaces:
>
> eth0 216.12.31
> eth1 192.168.99
> eth2 192.168.98
> eth2:1 192.168.99

You can't have two interfaces with the same address, in this case, you've 
got both eth1 and eth2's shadow with the same address.  It almost sounds 
like both the Linux box and the proxy are sitting on both networks, which 
is more than slightly confusing.

> Clear as mud, right?
>
> I have tried to route across the box to the 98 network and had no luck. 
> I am kind of new to the routing thing so any help would be appreciated.

If it's the Linux box is acting as the router, then it needs to have IP 
forwarding turned on, and it needs to be the gateway for the boxes it's 
routing for (with the appropriate interface address for the network its 
sitting on as the route.)  It's own routing tables will handle the rest of 
it, but the interfaces need to not have the same IP address.  There's 
probably a copy of the Linux Network Administration Guide by Olaf Kirch 
laying around the Net somewhere, and likely that or one of the newer LDP 
documents will help you.

If the proxy is off of one leg of the Linux box, then some traffic will 
have to transit that box twice to get out (assuming the Linux box is the 
gateway out to the rest of the world,) so it should probably sit on 
the segment with the highest utilization.  That is, if the bulk of the 
clients live on the .98 subnet *and* the proxy isn't vulnerable to attack 
from them, then it should probably live there too, so that the traffic 
doesn't have to go through the Linux box from client to proxy, then again 
from proxy to Internet.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards