Find the answer to your Linux question:
Results 1 to 3 of 3
Hello all. I am new to the board. Hope you can help shed some light on this problem I need to solve. I Have 2 ISPS ( One is DSL ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2004
    Posts
    2

    Advanced Linux Firewall (2 ISP, 2 Networks)


    Hello all. I am new to the board. Hope you can help shed some light on this problem I need to solve.

    I Have 2 ISPS ( One is DSL (Using PPPoE) and the Other is Cable )
    The Building Has two Networks (192.168.1.0/24 & 192.168.2.0/24)

    Server: Slackware 10.0 (On a PIII-550 / 128 Megs Ram / 40 Gig Drive)
    Services on the Box: HTTP (Apache,PHP,Mysql) / SFTP / Iptables Routing, DHCP Server

    The box is up and running on the PPPoE (DSL) Connection.
    The ADSL Modem is connected to the Swtich then Eth0 is connected to the switch.

    Giving me This Configuration

    Eth0: 192.168.1.100
    ppp0: 64.58.3.124 (ex (*Dynamic) (Client: Roaring-Penguin)

    One interface is used to create one virtual interface (ppp0)

    Anyway, the problem is I will be installing a second nic (Eth1) and hoooking it up to Cable.

    I need IPTABLES to do some routing as follows

    - All IP's from 192.168.1.0/24 need to use the ppp0 connection
    - All IP's from 192.168.2.0/24 need to use the eth1 (Cable) connection

    Unless. One of the interfaces drop. Then it will route all traffic to the connection that is working.

    I am currently using the Mon Montha rc.firewall script. But not sure if I can modify it for my needs.

    I found this on a site (For splitting the connections):
    EXTIF="eth0"
    INTNET1="192.168.1.0/24"
    INTNET2="192.168.2.0/24"
    EXTIP1="123.123.123.11"
    EXTIP2="123.123.123.12"

    iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j SNAT --to $EXTIP1
    iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j SNAT --to $EXTIP2

    But seeing the IP is dynamic, I would need to reload the firewall everytime the IP changes. Which is not really a problem. I can work with that.

    The second issue is failover in case one connection drops.

    I found this...
    # route add default gw 192.168.1.2 dev eth0
    # route add default gw 192.168.2.2 dev eth0

    Not sure how to incorporate all this. (Trying to keep/modify the Mon Montha Firewall Script)

    Help. Please I am trying to avoid using m0n0wall.

  2. #2
    Linux Enthusiast
    Join Date
    Jun 2002
    Location
    San Antonio
    Posts
    621
    Good setup, but this will not be able to be done with just IPTables and routing tables. In order to get hot failover, you will need to setup bandwidth arbitration, which I am not familiar enough with to give you any hints besides telling you to visit tldp.org.

    Also, IPTables is only for NATting internal IPs to external interfaces. I wouldn't worry about IPTables until after you get your machine setup and able to ping both services correctly. You should be able to do this with routing tables. I am not sure where to setup static routes in slackware 10, but the manual commands would be:

    route add -net 192.168.1.0 gw 192.168.1.1 netmask 255.255.255.0 ppp0
    route add -net 192.168.2.0 gw 192.168.2.1 netmask 255.255.255.0 eth1

    (I think). Once you are able to ping the gateway on both ppp0 and eth1 (the 192.168.1.1 and .2.1), you will be in much better shape to setup the bandwidth arbitrtation which gives you hot failover.

    Let us know how it goes.

    Best,

    Samuel
    I respectfully decline the invitation to join your delusion.

  3. #3
    Just Joined!
    Join Date
    Nov 2004
    Posts
    2
    Thank you for the info. I will try and look into your suggestions today.

    Will keep you posted.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •