What I currently have is Scenario B but since one of the ISPs will route
packets that look like they have come from another ISP then everything
is fine.
The NATing I think which is needed.
IS anything arriving to X is NATed to the address of the server on the
internal network.
Also anything arriving to Y is NATed to the same server address.
I don't know if fwbuilder is simply hiding all the different NATing from
me but the above are the only two rules I have set up.
So a packet is addressed to X.
It hits the firewall and it changes the destination to be the address of
the internal server. It leaves the source alone.
The internal server responds to the packet.
At this point the source is the address of the internal server, and the
destination is the address of what ever machine it is trying to talk to
on the Internet.
When it hits the firewall the source address will be changed to be that
of what ever address it came in on, in this case X.
After this the firewall is finished with the packet and routing takes
over.
Since normally routing only cares about where the destination is the
packet may go over the wrong interface(In this case if the default route
is to the ISP for Y)
I believe what is needed is something like below.
NOTE this is totally untested.
On the firewall issue something like the following.
echo 200 Xinterface >> /etc/iproute2/rt_tables
ip rule add from 'X' table Xinterface
ip route add default via <The next router on interface X> dev <the
physical interface> table Xinterface
ip route flush cache
This is done from reference to chapter 4 of the Linux Advance routing
HOWTO.
As I said this is all untested.
But I believe it might work.
On the other hand it might totally mess up your routing.
For anybody trying to build firewalls I would really reccomend
fwbuilder. It basically provides an interface very similar to the GUI
for configuring FireWall1 for anybody who has used it.
It even includes a wizard that seems to do a good job of build an
initial config.
MArk
On Wed, 2002-01-16 at 15:11, Nick Murtagh wrote:
> On Wednesday 16 January 2002 14:54, Paul Jakma wrote:
> > On Wed, 16 Jan 2002, Nick Murtagh wrote:
> > > You need to set up two routing tables, one for each ISP, and then find
> > > some way, using netfilter perhaps, to direct packets to the right
> > > routing table.
> >
> > if you can find out how to do that, let me know, cause i'm dealing
> > with a very similar (nay identical) setup.
>> Say we have routers for ISPX and ISPY with IP addresses X and Y.
>> We source NAT incoming packets to either X or Y. Then return packets
> have destination X or Y. What happens when those packets hit the
> firewall?
>> Scenario A (good)
> ----------
> * Packets forwarded to correct interface because of destination
> address X or Y.
> * Source NAT changes X or Y to the original source (and now destination)
> address.
>> Scenario B (bad)
> ----------
> * Source NAT changes X or Y to the original source (and now destination)
> address.
> * Packets forwarded to the incorrect interface because of default root.
>> In other words, what is the relative order of choosing the interface and
> undoing the source NAT?
>> --
> Irish Linux Users' Group: ilug at linux.ie>http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
> List maintainer: listmaster at linux.ie
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
