Re: Funky Firewall - Engineering Request

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MBill Jonas at <-
Mder.hans at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Jay
Date:  
To: PLUG Discuss
Subject: Re: Funky Firewall - Engineering Request
On Sat, 8 Jan 2005, Bill Jonas wrote:

> On Sat, Jan 08, 2005 at 10:57:23AM -0700, George Toft wrote:
>> Qwest allows me 4 IP addresses, and I would like to take advantage of
>> them so we can have more than one computer at the site at one time.
>
> Do you have more than four computers internally? If not, just NAT them.
> As a reminder, NAT is many-to-many; masquerading (a Linux-specific term,
> or if it's not now, Linux was the first to use it) is just a special
> case.


In George's case that will not work. As I understand his problem, the
source external/public address of the HTTP connection needs to be
difference for each internal machine.

You could do this with some super-nasty IPTables rules, but that would
likely be pretty painful.

You may also be able to make it easier by bringing up four internal
gateways (eth1, eth1:0, eth1:1, and eth1:2) and four external addresses on
the firewall (eth0, eth0:0, eth0:1, and eth0:2), and give each LAN host
its own internal gateway (they will all still be in the same subnet, so
they will be able to talk to eachother just fine). Then on the firewall,
the IPTables rules could be simplified to just redirecting packets coming
in from eth1 to go out eth0, in from eth1:0 to go out eth0:0, in from
eth1:1 to go out eth0:1, etc...

Still not very clean, but do-able.

Here is another idea, and I am not quite sure if this would work off-hand
(still too early in the morning for me), but it would be really easy to
try it out. Bring up your four external addresses on the firewall, then
add four identical routes (but with different interfaces) to your ISP's
gateway router. For example (if your netblock is 1.2.3.0/24 and your ISP's
gateway router is 1.2.3.1):

# route add default gw 1.2.3.1 eth0
# route add default gw 1.2.3.1 eth0:0
# route add default gw 1.2.3.1 eth0:1
# route add default gw 1.2.3.1 eth0:2

That may cause the firewall box to pseudo-randomly pick an interface to
the gateway for different packets. Of course, this would be a total hack,
but much easier to test out than the "real" way of doing it using
IPTables. Of note, if your firewall is doing reverse path filtering, you
may need to disable that for this to work, since the routes may well now
be asymetrical.


--
~Jay


---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Dual boot environmet including XPRe: Dual boot environmet including XP->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)