hi,
first, i'd like to say im so happy this list is finally back up!!!!
my situation is that i have two cable modems connected to two different
2.4.2 boxes.
box A (eth0 x.x.x.x, eth1 10.1.1.1/24)
box B (eth0 x.x.x.x, eth2 10.2.2.1/24)
those two connect to a central 2.4.2 machine with 5 nics.
box C (eth0 10.0.0.1/24, eth1 10.1.1.2/24, eth2 10.2.2.2/24, eth3
10.3.3.1/24, eth4 10.4.4.1/24)
10.0.0.0/24 is cisco management subnet
10.1.1.0/24 is only for the box A - box C connection
10.2.2.0/24 is only for the box B - box C connection
10.3.3.0/24 is public MS lan
10.4.4.0/24 is my private lan for my linux servers and personal machines
i masquerade 10.3.3.0/24 and 10.4.4.0/24 at box C, 10.1.1.0/24 at box A,
and 10.2.2.0/24 at box B.
box C will send any outgoing masquerades based upon its default gateway.
the cable modems both fail serveral hours a week.
when when goes down, i manually switch box C to the other gateway.
when they are both up, only one is used.
obviously, you can see the problem.
the most important thing is to load balence between the two cable modems
and route all traffic out the right way if one of the cable modems goes
down.
if possible, possibly even send some packets out one way and some out
aNother (based on payload content and packet tagging?) but this is for my
next lesson :)
here are my configs:
(please feel free to point out any errors or possible enhancements to these
configs, since i am just starting out with iptables -- and linux routing in
general --- ...any suggestions would be appreciated, thanX)
----------------------------------------------------------------------------
----------------------------------------------------------------------------
---------
BOX C:
[root@xx /root]# cat masquerade
#!/bin/sh
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -p tcp --dport 22 -i eth+ -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -i eth3 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -i eth4 -j ACCEPT
/sbin/iptables -A INPUT -i eth+ -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A INPUT -i eth+ -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth+ -m state --state NEW,INVALID -j
LOG --log-level debug --log-prefix "FIREWALL: Input: "
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -o eth1 -j ACCEPT
/sbin/iptables -A FORWARD -o eth2 -j ACCEPT
/sbin/iptables -A FORWARD -i eth3 -j ACCEPT
/sbin/iptables -A FORWARD -i eth4 -j ACCEPT
/sbin/iptables -A FORWARD -i eth+ -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -o eth+ -j LOG --log-level debug --log-prefix
"FIREWALL: Forward-Out: "
/sbin/iptables -A FORWARD -i eth+ -j LOG --log-level debug --log-prefix
"FIREWALL: Forward-In: "
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE
----------------------------------------------------------------------------
-----------------------------------------------------------------
BOX A & B:
[root@xxxxxxx /root]# cat masquerade
#!/bin/sh
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -A INPUT -p tcp --dport 22 -i eth+ -j ACCEPT
/sbin/iptables -A INPUT -i eth+ -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix
"FIREWALL: Input: "
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A FORWARD -o eth0 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -j LOG --log-level debug --log-prefix
"FIREWALL: For-In: Spoof: "
/sbin/iptables -A FORWARD -o eth1 -j LOG --log-level debug --log-prefix
"FIREWALL: For-Out: Spoof: "
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
----------------------------------------------------------------------------
--------------------------------------------------------------------------
thanks,
Fernando Pando
