Re: Hello -- complicated firewal :(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2003-12-01 at 21:47, Michael Gale wrote:
> Hello,
> 
> 	I have been using iptables for a while but only in simple setups. Now I have been given the task to setup a major enterprise level firewall.
> 
> This firewall has 22 external virtual IP addresses plus one primary internal and external IP. Oh it also has 1 virtual IP on the internal as well.
> 
> So right now I have two firewalls running a master and slave cluster - which every one is master listens on it's external and internal primary IP's for connections from me only so I can administer it.
> 
> Plus then the master will listen on the 22 virtual IP's for DNAT them to the severs on the DMZ.
> 
> The slave will only listen for traffic on the external and internal primary IP's so I can administer it.
> 
> For a failover to be transparent the internal NIC of the master will listen on 172.16.0.1 and this is the internal networks gateway. This is NOT the primary IP of either firewall.
> 
> OK my question is .. when my master is up on firewall-1 it will listen on 172.16.0.1 (internal network default gateway) and 172.16.0.2 (primary INTERNAL IP used only for administration)
> 
Why do you need a virtual IP for administration? One IP on the internal
should be sufficient.

Use an INPUT rule to allow only your IP to administer the firewall:
iptables -P INPUT DROP
.
.
.
iptables -A INPUT -i eth1 -p tcp --dport 22 -s <your_ip> -d 172.16.0.1
-j ACCEPT

> How can I make it so internal users can only use 172.16.0.1 as a internet gateway and NOT 172.16.0.2.  

> >From my knowledge the FORWARD chain can only filter on source and destination address -- I would think I would have to filter out based on what IP the packet was forwarded to ... but how ?
> 
> I hope this is clear -- I tried looking for help on some IRC channels and nobody understood what I was talking about.
-- 
--
Raymond Leach <raymondl@xxxxxxxxxxxxxxxxxxxxxx>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

Attachment: signature.asc
Description: This is a digitally signed message part

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux