El miÃ, 08 de 09 de 2004 a las 21:16, Bill Hayes escribiÃ: > I have a problem trying to create a high availability firewall/router setup. Multiple servers on the internal network should be masqueraded to appear as a single server on the external network. > > The simplest case that fails for me looks like this... > > > Configuration: SuSE 9.1 (linux 2.6.5, iptables 1.2.9, heartbeat 1.2.0) > > firewall-1: eth0 = 192.168.1.1, eth1 = 10.1.1.1 > firewall-2: eth0 = 192.168.1.2, eth1 = 10.1.1.2 > > +--------+ > | server | > +----+---+ > | > +---------+---------+ > | hub | > +-+---------------+-+ > | | > +-----+------+ +------+-----+ > | firewall-1 | | firewall-2 | > +-----+------+ +------+-----+ > | | > +-+---------------+-+ > | hub | > +---------+---------+ > | > +---+----+ > | router | > +---+----+ > | > > If I configure my servers to use 192.168.1.1 as their gateway, and tell all my clients that 10.1.1.1 is my server, then everything works as desired. > > On to high availability, I configure my servers to use 192.168.1.3 as their gateway, and tell all my clients that 10.1.1.3 is my server. I start heartbeat and soon my firewalls now look like... > > firewall-1: eth0 = 192.168.1.1, eth0:1 = 192.168.1.3, eth1 = 10.1.1.1, eth1:1 = 10.1.1.3 > firewall-2: eth0 = 192.168.1.2, eth1 = 10.1.1.2 > > Now, all my outgoing connections are established as before, but all the incoming connections fail with... > > SFW2-INext-DROP-DEFLT > > instead of succeeding with... > > SFW2-FWDext-ACC-REVMASQ > > I know that iptables treats virtual interfaces as if they are the underlying physical interface, thus eth1:1 should be eth1, and outgoing connections work, thus I have proof that eth0:1 is eth0, so what is happening? Why are the packets being dropped? > What rules apply to each interface? Have in mind that even eth1:1 it's the same interface (really it's just another IP in the machine) that eth1 rules that apply to eth1 doesn't apply to eth1:1, because for Linux both are completely different interfaces. > Thanks to anyone that can help, > Bill > > wjh [at] sympatico [dot] ca > hayes [at] mail [dot] ru -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
