Hi All, I am hoping someone can help me with a project I am doing at work. I warn you in advance that this will be a long post, but I wanted to provide as much information as I could to explain what was going on. Any help would be very much appreciated and welcomed as my boss would like to see this up and running this week. I have been scouring various documents on advanced routing for a couple weeks now and I am just not 100% sure if I have everything right or not. It seems for every question I answer, two more pop up and I just want to try and clear up my confusion. One of those areas of confusion is how iproute2 and iptables play together. I know that routing sits below the rules on the stack but can't seem to shake the thought that you can do the routing as well as the rulesets within the iproute2 stack. So, I am seeing it as one thing handling both functions, but my boss sees it as routes then tables. Can anyone clear that u a bit for me? Following is some details on my environment and what I am hoping to accomplish: ENVIRONMENT: * CentOS 4.0 with all relevant patches & updates. * Dell PowerEdge 2500: Lots of power, lots of room. * 4 NIC's: - eth0: LAN (192.198.0.2) - eth0:1: Virtual interface (10.5.5.1) - eth1: Public IP - Primary (1.1.1.1) - eth2: Public IP - Secondary (2.2.2.2) - eth3: DMZ (192.168.0.3); Public IP - Web/FTP Server (3.3.3.3) * Software: iproute2; Snort (Possible future use); OpenSwan; Squid; BIND; ProFTPD (Possible future use); Postfix; ClamAV; MailScanner; DoveCot; SquirrelMail (Possible future use). BACKGROUND: I have been assigned to build a replacement firewall/router/gateway for my company. I have been pretty much been given carte blanche to do what I want here, but with a few suggestions on what my boss wants to see happen. My boss built the current set-up and it has worked well, and I am still relatively new to the company and will humbly admit a relatively inexperienced sysadmin. I do however a good grounding in networking, troubleshooting, hardware, etc...just not a lot of the hands on with the bigger stuff. We have two WAN connections (as above) for redundancy/failover, as well as an external IP for our web server/ftp server which should be mapped to the internal DMZ address. It is a separate box and we want to relocate it on the DMZ so that it can take advantage of the failover. The virtual interface is an alias off of the eth0 interface that will connect to a Cisco PIX firewall in our parent office. My boss occasionally uses VNC/Remote Desktop to remote in. We also want to use squid as a transparent proxy with the hopes of minimizing bandwidth as well as some monitoring and traffic control. We are looking at using some of the features in iproute2 to explore traffic shaping in the future. The current firewall setup is a iptables based firewall with inflex running as well. This firewall sits behind an appliance that is supposed to be handling the failover and the VPN connection but has not lived up to its hype. As I said before I have read numerous documents including the LARTC HOW-to and various supplementary materials from the net, including mini-HOW-TO's, tutorials, etc. CURRENT STAGE: So far I have ip-up running a *.sh script from /etc/sysconfig/networking-scripts that names the appropriate variables for the four interfaces; sets up split access; defines a default interface and attaches a weight to the default interface (I am assuming a higher weight number means higher preference); all as per the examples in chapter 4 of the LARTC HOW-TO. This first script then runs a second script that runs the rules for the two WAN interfaces. The rules are based on my bosses previous set up so I trust them to work fine. I have created the same sent of rules for both eth1 & eth 2 in the same document. I found some information from the LARTC mailing list archives that talks about setting up the DMZ but I not sure I got it right. I added two tales into rt_tables as per chapter 4 as well. I definitely know I haven't got the DMZ routing right and nothing for squid as I am not sure where to even start with that. I am pretty sure I have the OpenSwan setup up right but a little iffy on the routing for the connection. BIND, PostFix, ClamAV, MailScanner & DoveCot were all working fine before I started to mess with the rules, so I just want to make sure I am accommodating them appropriately in the routing/rules as well. I pretty much used the defaults on most of the stuff installed as our needs aren't overly complicated right now. Below is some output from rt_tables and my firewall script to show what kind of a mess I have made so far: rt-tables: [root@inside2 ~]# ip route list 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2 10.5.5.0/24 dev eth0 proto kernel scope link src 10.5.5.1 default via 192.168.0.1 dev eth0 [root@inside2 ~]# ip route list table default [root@inside2 ~]# ip route list table main 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2 10.5.5.0/24 dev eth0 proto kernel scope link src 10.5.5.1 default via 192.168.0.1 dev eth0 [root@inside2 ~]# ip route list table local local 2.2.2.2 dev eth2 proto kernel scope host src 2.2.2.2 broadcast 192.168.0.255 dev eth3 proto kernel scope link src 192.168.0.3 broadcast 192.168.0.255 dev eth0 proto kernel scope link src 192.168.0.2 broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1 broadcast 10.5.5.0 dev eth0 proto kernel scope link src 10.5.5.1 broadcast 2.2.2.255 dev eth2 proto kernel scope link src 2.2.2.2 local 10.5.5.1 dev eth0 proto kernel scope host src 10.5.5.1 broadcast 1.1.1.0 dev eth1 proto kernel scope link src 1.1.1.1 broadcast 192.168.0.0 dev eth3 proto kernel scope link src 192.168.0.3 broadcast 192.168.0.0 dev eth0 proto kernel scope link src 192.168.0.2 local 192.168.0.3 dev eth3 proto kernel scope host src 192.168.0.3 local 192.168.0.2 dev eth0 proto kernel scope host src 192.168.0.2 local 1.1.1.1 dev eth1 proto kernel scope host src 1.1.1.1 broadcast 10.5.5.255 dev eth0 proto kernel scope link src 10.5.5.1 broadcast 2.2.2.0 dev eth2 proto kernel scope link src 2.2.2.2 broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1 broadcast 1.1.1.255 dev eth1 proto kernel scope link src 1.1.1.1 local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1 local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1 [root@inside2 ~]# ip route list table T1 default via 1.1.1.1 dev eth1 [root@inside2 ~]# ip route list table T2 default via 1.1.1.1 dev eth2 Firewall Script: #! /bin/sh #Default Path: /etc/iproute2/rt_tables #Turns on IP Forwarding: echo 1 > /proc/sys/net/ipv4/ip_forward modprobe ip_nat_ftp modprobe ip_conntrack_ftp iptables -F iptables -X iptables -t nat -F PREROUTING iptables -t nat -F POSTROUTING iptables -P INPUT DROP iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT #Virtual Interface on Internal Information: ifconfig eth0:1 10.5.5.1 netmask 255.255.255.0 #VARIABLES: #LAN: IF0="eth0" IP0="192.168.0.2" P0="192.168.0.1" P0_NET="192.168.0.0" #WIF: IF1="eth1" IP1="<real IP>" P1="<real IP>" P1_NET="<real IP>" #DSL: IF2="eth2" IP2="<real IP>" P2="<real IP>" P2_NET="<real IP>" #DMZ: IF3='eth3" IP3="192.168.0.3" #WEBSRV="<real IP>" P3="<real IP>" P3_NET="<real IP>" #External: <BOSSHOME>="<real IP>" <HQNAT>="<real IP>" <HQGW>="<real IP>" #Split Access ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 #Preference: ip route add default via $P1 #Choosing Routing Table: ip rule add from $IP1 table T1 ip rule add from $IP2 table T2 # Local Network: ip route add $P0_NET dev $IF0 table T1 ip route add $P2_NET dev $IF2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add $P0_NET dev $IF0 table T2 ip route add $P1_NET dev $IF1 table T2 ip route add 127.0.0.0/8 dev lo table T2 #Load Balancing: ip route add default scope global nexthop via $P1 dev $IF1 weight 5 ip route add default scope global nexthop via $P2 dev $IF2 weight 1 #Run iptables Rules: exec /etc/sysconfig/network-scripts/rules.sh #TESTING -Scratchpad: #DMZ: #Assume you have a public network (e.g. 132.231.1.0) routed to your fw/gateway. #For the dmz you use a private network (e.g. 10.10.10.0). In the dmz you have #two public server (www 132.231.1.1 and mail 132.231.1.2). on the internal #interface of the gw/fw use the ip 10.10.10.254. The two public server have #the 2nd adress 10.10.10.1 (www) and 10.10.10.2 (mail). #Now use the following route-entries: #www and mail: #10.10.10.0/24 -> eth3 #default -> 10.10.10.254 #and on the firewall you set the following route entries: #192.168.0.3/24 -> eth3 #IP1/32 -> IP3 #IP2/32 -> IP3 #This is taken from the LARTC archives but I was not sure how to right it for my situation. I do so aplogize for the length of this post, but I am just confused at this point that my brain hurts. Any help that anyone can offer would be excellent! Thanks In Advance! Cameron _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
