Advanced Linux Firewall (2 ISP, 2 Networks)

Hello all. I am new to the board. Hope you can help shed some light on this problem I need to solve.

I Have 2 ISPS ( One is DSL (Using PPPoE) and the Other is Cable )
The Building Has two Networks (192.168.1.0/24 & 192.168.2.0/24)

Server: Slackware 10.0 (On a PIII-550 / 128 Megs Ram / 40 Gig Drive)
Services on the Box: HTTP (Apache,PHP,Mysql) / SFTP / Iptables Routing, DHCP Server

The box is up and running on the PPPoE (DSL) Connection.
The ADSL Modem is connected to the Swtich then Eth0 is connected to the switch.

Giving me This Configuration

Eth0: 192.168.1.100
ppp0: 64.58.3.124 (ex:) (*Dynamic) (Client: Roaring-Penguin)

One interface is used to create one virtual interface (ppp0)

Anyway, the problem is I will be installing a second nic (Eth1) and hoooking it up to Cable.

I need IPTABLES to do some routing as follows

- All IP's from 192.168.1.0/24 need to use the ppp0 connection
- All IP's from 192.168.2.0/24 need to use the eth1 (Cable) connection

Unless. One of the interfaces drop. Then it will route all traffic to the connection that is working.

I am currently using the Mon Montha rc.firewall script. But not sure if I can modify it for my needs.

I found this on a site (For splitting the connections):
EXTIF="eth0"
INTNET1="192.168.1.0/24"
INTNET2="192.168.2.0/24"
EXTIP1="123.123.123.11"
EXTIP2="123.123.123.12"

iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j SNAT --to $EXTIP1
iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j SNAT --to $EXTIP2

But seeing the IP is dynamic, I would need to reload the firewall everytime the IP changes. Which is not really a problem. I can work with that.

The second issue is failover in case one connection drops.

I found this...
# route add default gw 192.168.1.2 dev eth0
# route add default gw 192.168.2.2 dev eth0

Not sure how to incorporate all this. (Trying to keep/modify the Mon Montha Firewall Script)

Help. Please :cry: I am trying to avoid using m0n0wall. :lol:

Good setup, but this will not be able to be done with just IPTables and routing tables. In order to get hot failover, you will need to setup bandwidth arbitration, which I am not familiar enough with to give you any hints besides telling you to visit tldp.org.

Also, IPTables is only for NATting internal IPs to external interfaces. I wouldn't worry about IPTables until after you get your machine setup and able to ping both services correctly. You should be able to do this with routing tables. I am not sure where to setup static routes in slackware 10, but the manual commands would be:

route add -net 192.168.1.0 gw 192.168.1.1 netmask 255.255.255.0 ppp0
route add -net 192.168.2.0 gw 192.168.2.1 netmask 255.255.255.0 eth1

(I think). Once you are able to ping the gateway on both ppp0 and eth1 (the 192.168.1.1 and .2.1), you will be in much better shape to setup the bandwidth arbitrtation which gives you hot failover.

Let us know how it goes.

Best,

Samuel

Thank you for the info. I will try and look into your suggestions today.

Will keep you posted. :D