Next: 17 Secure Shell
Up: Redhat FAQ
Previous: 15 Serial Ports
Contents
Subsections
- Last_Change:
- 03/20/2004
Given the following configuration
Where
- eth0:
- network = 192.168.124.0
address = 192.168.124.247
- eth1:
- network = 65.223.121.224
address = 65.223.121.235
gateway = 65.223.121.225
eth1:1 = 65.223.121.233
- eth2:
- network = 209.189.103.192
address = 209.189.103.219
gateway = 209.189.103.222
eth2:1 = 209.189.103.218
eth2:2 = 209.189.103.217
- Default interface:
- = eth1
gateway = 65.223.121.225
- Add routing tables for both interfaces to /etc/iproute2/rt_tables
201 T1
202 T2
- Create routing tables
ip route add 65.223.121.224 dev eth1 src 65.223.121.235 table
T1
ip route add 192.168.124.0/24 via 192.168.124.247 table T2
ip route add default via 65.223.121.225 table T1
ip route add 209.189.103.192/27 dev eth1 src 209.189.103.196
table T1
ip route add 192.168.124.0/24 via 192.168.124.249 table T1
ip route add default via 209.189.103.222 table T1
- Create rules for external interfaces
ip rule add from 65.223.121.224/28 table T1
ip rule add from 209.189.103.192/27 table T2
The above will insure that traffic entering and leaving the firewall
uses the correct ports.
- Suppose I have an external address on eth2 (209.189.103.218) DNAT'ed
on ports 22 (ssh) and 80 (http) to an internal address of 192.168.124.232.
- Add the rule to /etc/shorewall/rules
DNAT net1 loc:192.168.124.232 tcp ssh,http - 209.189.103.218
- Add the following routing rule. Use the internal address source address,
not the NAT'ed address.
ip rule add from 192.168.124.232 table T2
Sometimes it is necessary that a pariticular service always appear
on a certain external address. For example a DNS server that is DNAT'ed
should always appear on the same address as advertised in the zone
DNS. Similarly a server for outgoing mail must appear on an address
list in the SPF record in DNS.
- Suppose I want to DNAT traffic from 192.168.124.232 on ports 25 (smtp)
and 53 (named) to external address 209.189.103.217.
- Add to /etc/shorewall/masq before the default masquerade rule.
eth2 192.168.124.232 209.189.103.217 udp 53
eth2 192.168.124.232 209.189.103.217 tcp 53
eth2 192.168.124.232 209.189.103.217 tcp 25
- Or
eth2 192.168.124.232 209.189.103.217
- Add the following routing rule
ip rule add from 192.168.124.232 table T2
The difference between 2 and 3
is
- With number 2 only traffic to
the listed ports is NAT'ed. All other traffic is passed as is with
a source address of 192.168.124.232.
- With number 3 all
outgoing traffic is NAT'ed to 209.189.103.217.
- Which you choose to use is dependant on your application but you should
be aware of it.
Once question I was asked by an early reviewer was, ``What if I
need some traffic to a server come in thru eth1 and other traffic
to the same server thru eth2?'' The best answer I have is:
- Assign more than one address to the internal server. Here I will assign
address:
eth0 = 192.168.124.232
eth0:1 = 192.168.124.235
eth0:2 = 192.168.124.229
- in /etc/shorewall/rules, DNAT 209.189.103.218, port 80 (http) to 192.168.124.235
DNAT net1 loc:192.168.124.235 tcp http - 209.189.103.218
- In /etc/shorewal/rules, DNAT 65.223.121.233 port 25 (smtp) to 192.168.124.229
DNAT net0 loc:192.168.124.229 tcp smtp - 65.223.121.233
- If necessary, delete the old routing rule for 192.168.124.232
$ ip rule delete from 192.168.124.232 lookup T2
- Add a new routing rule for 192.168.124.235
$ ip rule add from 192.168.124.235 table T2
- It isn't necessary but doesn't seem to hurt to add a rule for the
address NAT'ed from the default interface
$ ip rule add from 192.168.124.229 table T1
Next: 17 Secure Shell
Up: Redhat FAQ
Previous: 15 Serial Ports
Contents
2005-03-20