Re: Fedora Firewall with multiple public IPs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> > As far as I'm concerned, it should follow these ‘basic’ rules
> > 
> >  
> > 
> > ·         All traffic goes via my unlimited connection (with the 
> > exception of)
> > 
> > ·         Email – Goes via an SMTP relay for one of our providers, which 
> > has been added to our DNS
> > 
> > ·         SIP traffic goes via the same provider, as they provide a rock 
> > solid connection
> > 
> >  
> > 
> > If my A1 provider is absent for any reason, then use my B1 provider, 
> > until A1 comes backup. Any ideas, and suggestions will be appreciated J
> > 
> Make the cheap unlimited ISP the default route, use the mangle table to MARK the 
> connections you want to go through the other ISP, then use a source route based 
> on the MARK to force the packets out the non-default interface. Use the nat 
> table to SNAT the marked packets to the correct source address.
> 
> I do that at several sites.
> 

I recently did that for a VPN server, you could probably do something
like the following (after making the unlimited connection your default):

# Flush a route table (to make sure there is nothing in it)
# You can pick any number, I chose 300 

ip route flush table 300

# Delete the fwmark that we are going to use (0x50 is going to be used
here)

ip rule del fwmark 0x50

# Create the mangle table to mark source packets (SMTP for example)
# The --set-mark 80 is in correlation with the fwmark 0x50 (as 0x50 is
80 in hex)

iptables -t mangle -A OUTPUT -j MARK --set-mark 80 -p tcp --sport 25

# Do something similar for each of the SIP ports you want to open

# Set the default route for table 300

ip route add table 300 default via <your second connection gateway>

# Add the FWMARK rule to the table

ip rule add fwmark 0x50 table 300



You can easily MARK additional ports to send out the more stable
connection by adding more IPTABLES rules. 

Also, make sure that the ports have been opened in iptables so they can
get through.

Good luck,

Tait

Attachment: signature.asc
Description: This is a digitally signed message part

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux