|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Accessing IP-dependent pages from home...
|
On Sun, Aug 12, 2001 at 04:53:16PM -0400, Guillermo Moyna wrote:
> I think I should be able to do this with minimal problems. What still
> puzzles me is, how will the machine now it has to use its 10.x IP
> (and gateway) when connecting to the world through lynx or netscape?
[Warning: Long-winded ramble about routing follows. If you want to skip
this, head down about 7 paragraphs, to the next quoted portion.]
It depends on what hostname/IP address you use. If you look at the
output of route(8), it will have at least two routes, assuming it can
reach the public internet. One of these will have a destination of
0.0.0.0, which is your default route. This, as you probably know, is
for your default gateway, which is used if no other route matches.
You'll have another route, which is based on your IP address and netmask
-- for example, my workstation at home has an IP address of 10.1.1.2 and
a netmask of 255.255.255.0. There is an entry in my routing table for
10.1.1.0, and it has a gateway of 0.0.0.0, which means that it's locally
accessible from the card (ie, no gateway is needed, just drop the
packets onto the wire). When you configure a second interface, another
"local" route automatically gets added to the routing table, so you
shouldn't have to do anything special after you configure the interface.
OTOH, depending on your network topology, you might have to add a
special route for 10.0.0.0.
You manage the routing table through the route(8) user-space tool, and
the kernel decides, based on the routing table, where to send the
packets it receives. It will decide where to send the packet based on
most specific to least specific. For example, suppose you had a routing
table that looked like the following:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.172.185.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.61.206.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
10.0.0.0 10.61.206.1 255.0.0.0 UG 0 0 0 eth1
0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth0
Now, suppose you have a packet with a destination address of
192.168.10.25. The most specific route pertaining to this packet is the
first line. Since it's locally accessible (there's no gateway listed
for it), it just gets sent out eth0 as-is. Same way if you had a packet
destined for 10.172.185.58; the second line above is what would govern,
except that packet would get sent out your eth1 interface.
Imagine, though, you were trying to reach 10.20.30.40. Line 4
(10.0.0.0, netmask 255.0.0.0 (or, more simply, 10.0.0.0/8)) is what
would govern. But wait! The gateway specified is 10.61.206.1, which
the kernel needs to know how to get to. So the kernel consults the
routing table again, and finds that it can just dump the packet onto the
wire, out the eth1 interface (line number 3, above). As a final
example, suppose you were trying to reach 11.12.13.14. None of the
other, more specific, entries match, so the final line is used.
Note that the kernel is sensitive to the order in which you add the
routing table entries. For example, if we'd tried to add the route on
line 4 before we'd added the route on line 3, the kernel wouldn't let us
do that since it doesn't yet know how to get to that host. (You'd get a
"Host unreachable" error.) So you first have to tell the system how to
reach 10.61.206.1 before you can specify that host as a gateway. (Our
default route, 192.168.10.1, became reachable when we brought eth0 up.)
Admittedly, this is somewhat of a contrived and complex example, but it
illustrates quite a lot about basic routing. I won't go into dynamic
routing (via routed or similar), mostly because I haven't used it and
I'm therefore unfamiliar with it :), but also because I don't forsee you
needing it. (Static routing is all that most people need; dynamic
routing is mostly only used by ISPs.)
[Setting up a proxy]
> Now, this is what I had originally thought about, but after getting
> some info I was utterly confused. Who whould this work? I beleive
> that I have to set up a proxy server on tonga (that should use the
> 10.x router), and then somehow access it from home using a browser,
> right? How? Will I be prompted for passwords (I hope so, otherwise
> anyone could access the databases and everything else, as I would
> have left a nice big hole in the firewall...).
Basically, you'd set up a proxy and tell it to require a password and
only permit connection to the host which you want to access outside the
firewall. (I know that Squid (http://www.squid-cache.org/) can do these
things, but while I've used it before, it was only as a simple caching
proxy. I never did any of the more advanced stuff.) Alternatively, you
could use IPChains or IPTables to limit access to the port the proxy
runs on (in Squid's case, 3128 by default, but that's configurable) to
only specified IP addresses. (Of course, this will only work if all
your users have static IP addresses, unfortunately.) Then, in your
browser configuration, you'd tell it to use the proxy. Unfortunately,
I'm not sure if you can tell the major browsers to use the proxy for
only a certain host or not. I *do* know that in Konqueror you can say,
"Don't use a proxy for these hosts", but that's not so useful. The
drawback is, of course, that you'd have to go and manually change the
settings each time you wanted to switch from using the proxied host to
doing regular web browsing, and vice-versa. Or you could just use a
different web browser for the USP resource you're accessing and the rest
of the web.
Anyway, I apologize for my long-windedness. I hope I was helpful, at
least. :)
--
Bill Jonas * bill@billjonas.com * http://www.billjonas.com/
"As we enjoy great advantages from the inventions of others, we should
be glad of an opportunity to serve others by any invention of ours; and
this we should do freely and generously." -- Benjamin Franklin
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|