Re: [leaf-user] Routing Question: eth0=DSL, eth1=Local, eth2=DMZ, eth3=Cable

Mon, 06 Jun 2005 15:26:40 -0700 

On Mon, 2005-06-06 at 10:06 -0700, William (Andy) Smith wrote:
> I was given direction from Charles Steinkuehler on my question, but I am
> still not clear on how to implement the routing rules in
> /etc/network/interfaces, or what specific rules to set since my case is
> slightly different from what is recommended at the documentation site.
> 
> I am looking at the following URL from what was suggested:
> 
> http://lartc.org/howto/lartc.rpdb.multiple-links.html
> 
> Going from their model, I have something more like this that I not only need
> to set up, but test and verify it works on the wire before we down
> production equipment and move it to a new location:
> 
>                                                                     _______
>                                           +-----------------+      /
>                                           |    Provider 1   |     |
>                              +------------+ 66.114.33.64/30 +----
>                              |            | gw 66.114.34.65 |   /
>    +-----------------+ +----------------+ +-----------------+  |
>    |  DMZ via Prov.1 +-|eth2 eth0       |                     /
>    | 66.114.34.92/30 | |                |                     |
>    +-----------------+ | Linux Router   |                     |    Internet
>                        |                |                     |
>    +-----------------+ |                |                     \
>    | Lcl NAT via Prv2| |                |                      |
>    | 192.168.2.0/24  +-+eth1 eth3       |                       \
>    +-----------------+ +-----+----------+ +-----------------+    \
>                              |            |    Provider 2   |     |
>                              +------------+ 192.168.1.0/24  +------\
>                                           | gw 192.168.1.254|       \_______
>                                           +-----------------+
> 
> I note /etc/iproute2/rt_tables which on my machine has the following as a
> default on my existing router:
> 
> #
> # reserved values
> #
> 255     local
> 254     main
> 253     default
> 0       unspec
> #
> # local
> #
> 1      inr.ruhep
> 
> The only 'inbound' traffic from the net comes from Provider 1.to the DMZ.
> 
> I suspect I need to add tables to rt_tables, for which the following names
> would be useful to match my shorewall names:
> 
> Eth0  net
> Eth1  lcl
> Eth2  dmz
> Eth3  cbl
> 
> So am I correct to comment out 'inr.ruhep' and append the following to
> rt_tables?
> 
> 1      net
> 2      lcl
> 3      dmz
> 4      cbl


if i understand correctly what you wish to do, you need to add a
masquerade/SNAT rule for the traffic coming from eth1 to eth3 (and add
an exclude for the network on eth2 in shorewall). As the machine has a
local route to the dmz network it should route the traffic there without
needing any changes.
All traffic coming in via provider 1 (eth0) will be automatically routed
to the dmz, too. So the only thing you need to change, is that all
traffic coming from the dmz will go out on eth0 again.
So, just add one table to rt_tables (you need only to do this once and
backup the package).
echo 1  dmz >> /etc/iproute2/rt_tables
(i am not sure about the 1, normally numbers starting at 200 are used).

You now create an appropiate rule:
# ip rule add from 66.114.34.92/30 table dmz
# ip route add default via 66.114.34.65 dev eth0 table dmz
# ip route flush cache

this should basically do it. As the normal traffic will take the default
table...

You can add this to /etc/network/interfaces to the eth0 section like
this:
up ip rule add from 66.114.34.92/30 table dmz
up ip route add default via 66.114.34.65 dev eth0 table dmz
up ip route flush cache

and (if you want ), a corresponding down section...
Or you can put this in a script (for example /usr/local/sbin/addiprules
and use it like:
up /usr/local/sbin/addiprules

or put it in /etc/network/if-up.d. All scripts in there are called with
some environment variables (and example follows):

MODE=stop
IF_NETMASK=255.255.255.0
ADDRFAM=inet
METHOD=static
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
PWD=/root
IF_NETWORK=192.168.5.0
SHLVL=2
IF_BROADCAST=192.168.5.255
IF_GATEWAY=192.168.5.254
IFACE=eth0
IF_ADDRESS=192.168.5.3

(i used ifdown , so mode is stop not start). But you could use something
like:
#! /bin/sh
if [ "$IFACE" = "eth0" ] ; then
        < rules stuff from above
fi

all 3 possiblities should work, i think the first one (directly
in /etc/network/interfaces) is the easiest...

--arne

-- 
Arne Bernin <[EMAIL PROTECTED]>

http://www.ucBering.de





-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you shotput
a projector? How fast can you ride your desk chair down the office luge track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Reply via email to