/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm sorry if this is to the wrong emailing list, if it is, please
directly me where to post this question.
I'm going to start this email with saying I _think_ I've read
everything I can get my hands on about this subject, I've tried every
example I can find, with no luck. The second issue is that I can not
upgrade to netfilter/iptables because one of the applications I need
requires "loose udp routing". Either the examples in the mailing
list do not apply or I must be doing something wrong.
Here is my problem, everything "works" but _all_ traffic goes out the
207.152.31.185 internet connection. Here is what I need to happen,
when somebody connects to 216.254.12.42 port 80 that all traffic for
that "session" be answered back as 216.254.12.42 plus go out that
internet connection.
At this point in time I'm almost willing to do anything. Any
suggestions (or commands) to try would be very helpful, or a how-to.
Here is my basic setup and config:
I have 2 internet connections and 1 LAN private address space to
place all my computers on.
This is my LAN connection
/sbin/ifconfig eth0 192.168.181.254 netmask 255.255.255.0
My first internet connection:
/sbin/ifconfig eth1 207.152.31.185 netmask 255.255.255.0
And my SDSL connection:
/sbin/ifconfig eth2 216.254.12.42 netmask 255.255.255.0
Then my gateway command: (Since I want traffic for right now to
default out the First internet connection since it's faster):
/sbin/route add default gw 207.152.31.1 netmask 0.0.0.0 metric 1
Now I have a number of "static ip address" for each of my internet
connections so I add those:
/sbin/ip addr add 207.152.31.128 dev eth1
/sbin/ip addr add 207.152.31.127 dev eth1
/sbin/ip addr add 216.254.12.41 dev eth2
Now I start to setup IPChains:
/sbin/modprobe ip_masq_ftp
/sbin/modprobe ip_masq_raudio
/sbin/modprobe ip_masq_irc
/sbin/modprobe ip_masq_quake 26000,27000,27910,27960
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_always_defrag
/sbin/ipchains -M -S 7200 10 160
/sbin/ipchains -P forward DENY
/sbin/ipfwadm -F -a masquerade -W eth1 -S 192.168.181.0/24 -D
0.0.0.0/0
/sbin/ipfwadm -F -a masquerade -W eth2 -S 192.168.181.0/24 -D
0.0.0.0/0
Now, I have a number of services behind running on machine on the
private address space so I portfwd those:
/usr/sbin/ipmasqadm portfw -f
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.185 1701 -R
192.168.181.245 1701
/usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 1701 -R
192.168.181.245 1701
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.185 1702 -R
192.168.181.251 1702
/usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 1702 -R
192.168.181.251 1702
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 80 -R
192.168.181.251 80
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 80 -R
192.168.181.250 80
/usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 80 -R
192.168.181.250 80
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 22 -R
192.168.181.250 22
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 22 -R
192.168.181.251 22
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 53 -R
192.168.181.251 53
/usr/sbin/ipmasqadm portfw -a -P udp -L 207.152.31.128 53 -R
192.168.181.251 53
/usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 53 -R
192.168.181.251 53
/usr/sbin/ipmasqadm portfw -a -P udp -L 216.254.12.42 53 -R
192.168.181.251 53
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 25 -R
192.168.181.251 25
/usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 25 -R
192.168.181.250 25
Then I block some annoying people who like to scan my boxes:
/sbin/ipfwadm -I -a reject -S 209.15.4.251/32 -D 0.0.0.0/0 -o
/sbin/ipfwadm -I -a reject -S 129.62.102.40/32 -D 0.0.0.0/0 -o
/sbin/ipfwadm -I -a reject -S 24.64.188.99/32 -D 0.0.0.0/0 -o
Now thats my current setup.
- -------------------
JayC Daniel
Senior Security Engineer
Security Integration
HCAHealthcare
615-344-6988
[EMAIL PROTECTED]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOpaQyms8MgTkO0sjEQLncwCeOqymC6znnQFtSrLwTTxxC1r8PaIAn0UB
ziItg0KN6W+gArLz+VPIR9cf
=968C
-----END PGP SIGNATURE-----
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
