Well, well, well. :-) Let's see. First of all, I'll use simple iptables/ip commands to set it up according to what you have stated in your previous message. It's your homework to get it up with fwbuilder. I may have a mistake here or ther... and I hope you could forgive me in that case.... here we go: Start by adding two new routing tables in /etc/iproute2/rt_tables. Say table4 for eth4 and table5 for eth5. That is done with a text editor.. like vi or nano. Add two new routing tables and place a number for them.. there should be 3 or 4 already there... just add two more lines at the end with a number (under 250, i guess) and the name. Save and exit. Then, let's fill them up: ip route add default via gw4 table table4 ip route add default via gw5 table table5 (gw4 and gw5 are the gateways for each internet link). Then.... how do we tell packets to use one interface or the other. You could mark packets in MANGLE FORWARD. Set a differemt fwmark for each OUTBOUND interface you want to force packets to go through. iptables -t mangle -A FORWARD -i eth0 -j MARK --set-mark 4 iptables -t mangle -A FORWARD -i eth1 -j MARK --set-mark 5 iptables -t mangle -A FORWARD -i eth2 -j MARK --set-mark 5 (4 and 5 are just flags you are setting on those packets that will accompany them till they reach the outbound interface.. and therefore, can be used by IPROUTE on the second routing decision... yes, there will be a second routing decision, cause you are setting a FWMARK. ;)). then.... we know that you have to use one routing table or the other according to the FWMARK they bring with them... here we go: ip rule add fwmark 4 table table4 ip rule add fwmark 5 table table5 Here, I'm not taking in consideration packets moving from one DMZ to the other... that could be solved using iptables commands. As I said, there might be a mistake here or ther... but that should work. Good luck! Keep me posted so I know if you succeded. On 11/1/05, Bradley Alexander <storm@xxxxxxx> wrote: > Thanks Edmundo, > > Since this is my first foray into routing this complex, I hope you will > indulge a few (no doubt) stupid questions. > > First, you are, in fact, saying that I should use iproute2 to build a default > route from eth0 to eth4 (Internal to DSL) and another set of default routes > for eth1 and eth2 to eth5 (dmz/kiosk to cablemodem),,,And then iptables (I'm > using fwbuilder to generate rules) will route them to the right exit > interfaces with none of the problems of packets going out one outbound > interface and the response coming back on the other, correct? > > What is the best approach to setting this up in iproute2? (I'm _completely_ > new to iproute2.) > > Thanks in advance, > > On Tuesday 01 November 2005 10:12 am, Edmundo Carmona wrote: > > Separate routing tables.... and you can make routing decisions based > > on DMZs netwotk segments.... or firewall marks, so that packates that > > come from segment X, use a routing table that has route Y as its > > default GW. ;-) > > > > That would do. > > > > On 10/31/05, Bradley Alexander <storm@xxxxxxx> wrote: > > > I am trying to build a firewall and from my reading of the list archives > > > and other places, I'm worried about unintended interactions between > > > iptables and iproute2. Here is my situation > > > > > > I have an internal network on eth0 and two separate dmzs on eth1 and eth2 > > > respectively (a wireless network and a kiosk). On the outbound side, I > > > have a cablemodem provider and a dsl provider. What I need is to set up > > > routing such that the internal network goes out on the dsl, while the > > > dmzs go out on the cablemodem. > > > > > > What would be the best approach to this configuration? Will there be any > > > unforseen interactions between iproute and iptables? > > > > > > Thanks, > > > -- > > > --Brad > > > ======================================================================== > > > Bradley M. Alexander | > > > IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org > > > ======================================================================== > > > Key fingerprints: > > > DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 > > > RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 > > > ======================================================================== > > > Why do they put Braille dots on the keypad of the drive-up ATM? > > > > > > _______________________________________________ > > > LARTC mailing list > > > LARTC@xxxxxxxxxxxxxxx > > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > _______________________________________________ > > LARTC mailing list > > LARTC@xxxxxxxxxxxxxxx > > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > -- > --Brad > ======================================================================== > Bradley M. Alexander | > IA Analyst, SysAdmin, Security Engineer | storm [at] tux.org > ======================================================================== > Key fingerprints: > DSA 0x54434E65: 37F6 BCA6 621D 920C E02E E3C8 73B2 C019 5443 4E65 > RSA 0xC3BCBA91: 3F 0E 26 C1 90 14 AD 0A C8 9C F0 93 75 A0 01 34 > ======================================================================== > Criminals love gun control - it makes their jobs safer. > > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
