On Thursday 12 January 2012 6:08:08 pm Lloyd Standish wrote: > On Thu, 12 Jan 2012 15:51:18 -0600, Dimitri Yioulos <dyioulos@xxxxxxxxxxxxx> wrote: > > I currently have an iptables/Netfilter firewall router > > configured thusly: > > WAN > > > > (192.168.x.x) LAN -- fw -- DMZ (10.x.x.x) > > OK, pretty basic. And, it has worked well for a long time. > > Now, I need to add a second WAN (provided by a second > > provider). I need it to serve specific boxes in the DMZ, both > > inbound and outbound. Currently, all boxes in the DMZ are > > served by the single WAN connection. I'm not sure what other > > information I need to provide you, but I'm hoping you all can > > help with very specific instructions or a very detailed > > how-to so I can get this accomplished. And, of course, I > > need to get this done yesterday. > > Hi, > > I am not highly experienced compared to most other posters > here, but I'll try to help :) > > Shouldn't your diagram indicate that the fw is connected to the > WAN (not to the DMZ)? I will proceed under that assumption. > If you have a netfilters firewall installed, I think all > interfaces would go "through" it. > > > Adding a second (or more) uplink to a netfilters firewall is > easy. I suggest the following: > > 1. You could follow the basic information explained here, to > set up split access: > http://lartc.org/howto/lartc.rpdb.multiple-links.html After > reading this and understanding about using multiple routing > tables to route traffic through different interfaces (uplinks), > you can proceed. > > 2. You would set up a custom routing table for the special DMZ > traffic. Use the info in the above link to do that. Suppose > it is called "DMZSPECIAL". You will set up routing to the new > DMZ interface using the MYDMZ table, something like this: > > ip route add 10.x.x.x/8 dev ${DMZinterface} src ${wan} table > DMZSPECIAL ip route add default via ${gateway} dev ${interface} > table DMZSPECIAL > > (You will also keep your regular routing table to your old > interface. Also of course you keep your SNAT over your > existing interface, only for LAN hosts of course.) > > 2. You might create a custom chain for the new interface, which > is supposed to serve the special DMZ hosts. This is to mark > packets for subsequent decision on routing: > > iptables -t mangle -N CONNMARK1 > iptables -t mangle -A CONNMARK1 -j MARK --set-mark 1 > iptables -t mangle -A CONNMARK1 -j CONNMARK --save-mark > iptables -t mangle -A CONNMARK1 -j ACCEPT > > 3. You would NEW mark all packets from the special DMZ hosts > with fwmark 1, like this (repeat for each source IP or subnet > to use the new interface): > > iptables -t mangle -A PREROUTING -m state --state NEW -s > 10.x.x.x -j CONNMARK1 etc. > > > 4. You would restore the connection mark to the packet mark > with a rule like this: iptables -t mangle -A PREROUTING -i > ${dmz_if} -m state --state ESTABLISHED,RELATED -j CONNMARK > --restore-mark > > Then add a policy routing rule, directing all traffic with the > "1" mark to the new DMZ uplink: > > ip rule add fwmark 1 table MYDMZ > > That should do it. Post back if you have any trouble. > -- > Lloyd > -- > To unsubscribe from this list: send the line "unsubscribe > netfilter" in the body of a message to > majordomo@xxxxxxxxxxxxxxx > More majordomo info at > http://vger.kernel.org/majordomo-info.html Lloyd, Our fw/router routes traffic to both our LAN and our DMZ. That's how it was set up a long time ago and, again, it works very well. Given that, do your instructions (btw, did I say I'm grateful for your help) still work? Dimitri -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
