6.5. IP Masquerading multiple internal networks

Masquerading more than one internal network is fairly simple. You need to first make sure that all of your networks are running correctly (both internal and external). You then need to enable traffic to pass to both the other internal interfaces and to be MASQed to the Internet.

Next, you need to enable Masquerading on the INTERNAL interfaces. This example uses a total of THREE interfaces: EXTIF stands for the eth0 interface which is the EXTERNAL connection to the Internet. INTIF stands for the eth1 interface and is the 192.168.0.0 network. Finally, INTIF2 stands for the eth2 interface and is the 192.168.1.0 network. Both INTIF and INTIF2 will be MASQed out of interface eth0 or EXTIF. In your rc.firewall-* ruleset next to the existing MASQ at the very end of the ruleset, add the following:

6.5.1. iptables support for multiple internal lans

# 2.6.x and 2.4.x kernels with IPTABLES
#
# The following rules build upon the rc.firewall-iptables-stronger ruleset.
# Please see that ruleset in Section 6 for how all variables get set, etc.


  #Enable internal interfaces to communication between each other
  #
  $IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
  $IPTABLES -A FORWARD -i $INTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
  $IPTABLES -A FORWARD -i $INTIF2 -o $INTIF -m state --state ESTABLISHED,RELATED \
 -j ACCEPT

  $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

6.5.2. ipchains support for multiple internal lans

# 2.2.x kernels with IPCHAINS
#
# The following rules build upon the rc.firewall-ipchains-stronger ruleset.
# Please see that ruleset in Section 6 for how all variables get set, etc.

  #Enable internal interfaces to communication between each other
  $IPCHAINS -A forward -i eth1 -d 192.168.0.0/24 -j ACCEPT
  $IPCHAINS -A forward -i eth2 -d 192.168.1.0/24 -j ACCEPT

  #Enable internal interfaces to MASQ out to the Internet
  $IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.0.0/24 -d 0.0.0.0/0
  $IPCHAINS -A forward -j MASQ -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0

6.5.3. ipfwadm support for multiple internal lans

# 2.0.x kernels with IPFWADM
#
# The following rules build upon the rc.firewall-ipfwadm-stronger ruleset.
# Please see that ruleset in Section 6 for how all variables get set, etc.

  #Enable internal interfaces to communication between each other
  /sbin/ipfwadm -F -a accept -V 192.168.0.1 -D 192.168.1.0/24
  /sbin/ipfwadm -F -a accept -V 192.168.1.1 -D 192.168.0.0/24

  #Enable internal interfaces to MASQ out to the Internet 
  /sbin/ipfwadm -F -a masq -W eth0 -S 192.168.0.0/24 -D 0.0.0.0/0
  /sbin/ipfwadm -F -a masq -W eth0 -S 192.168.1.0/24 -D 0.0.0.0/0

Please note that it is CORRECT to have "eth0" specified multiple times for the exmples shown above. The reason for this is the Linux kernel needs to know which interface is used for OUTGOING traffic. Since eth0 in the above examples is the Internet connection, it is listed for each internal interface.