Congrats pard! Nothing beats the sound of happy packets.! Sounds like.... victory
More ?'s below: On Thursday 26 March 2009, Rubin Bennett wrote: > So in a follow up to the thread of last week about dual Internet > connections, I managed to do that which I though impossible over teh > weekend for a client. > > The layout: > > > |---------------| |---------------| /-----\ > |192.168.1.0/24 | | |----ISP1---| | > | LAN |------| Firewall | | 0/0 | > | | | |----ISP2---| | > |---------------| |---------------| \-----/ > > The outbound side is reasonably easy to deal with using iproute2 and > weighting/ equalizing the routes. Is there a switch somewhere; is fw also THE router? > > However, the difficult (and therefore rewarding part) was getting the > firewall to track and properly forward connections to an internal system > *regardless of which connection it came in on*. The goal was to have 2 > MX records in public DNS, one weighted higher than the other, so that if > the connection to ISP1 goes down, inbound e-mail will simply come in > over the other line. So, the LAN (or an analog DMZ) is hosting an smtp server and the fw greenlights port traffic on either IF? Cool so far. > > In my looking around for systems or appliances that perform this magic, > I came up basically empty (short of $10k NetScreen/ Barracuda/ Cisco > gear) and was under the impression that it's simply not possible under > Linux Did you perchance, look into a Vayatta router? > without employing some sort of source routing, which would then > require either separate IP addresses and routing tables on the internal > server, or dual NICs on the server. So the fw is just a linux box acting as a hub/router? And has two NICS not one 2-port NIC? Correct? Is it capable of port-bonding, does it need that? > Then connections to the server from > ISP1 could be forwarded to NIC1 on the server, and connections via ISP2 > would be forwarded to NIC2. So, what you wanted to do was possible under Linux using two NICS, though I don't understand why you couldn't have done that w/IP aliasing; not that you'd want to. > However, that's messy and inelegant, and flies in the face of how I like > to do things :) > > Enter my OCD, and a couple days worth of Googling, and I stumbled across > fwmark and --ctorigdst in the iptables stack [1] > > > An afternoon of pfutzing with iproute2 and iptables, and voila!!! It > Works! Care to share your source code, scripts, params, etc..? > > You can now telnet to port 25 on either interface of the firewall, again, was this a one or two NIC solution? Your diagram makes it clear that it's two, but your explanation indicated that two was in-elegant; or was that related to "separate IP addresses and routing tables on the internal server" > via > either ISP and connect to the internal server, and there is absolutely > no reconfiguration needed on the server itself. *Rubin does a victory > lap around the abandoned office*. > > Since this thread generated a fair amount of interest last week, I > thought I'd share my little victory with y'all :) I wasn't part of that thread, but it just got interesting. Thanks. Sorry if my understanding remains dense. Rion
signature.asc
Description: This is a digitally signed message part.
