From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: RE: [LARTC] 4 nic advanced routing question update
Date: Tue, 10 Sep 2002 21:49:52 +0000 [thread overview]
Message-ID: <marc-lartc-103169464805322@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103169254203213@msgid-missing>
Thad,
Preface:
- - - - - -
I'm not certain that I understand your ultimate goal, though I'm
sure I do not understand what you mean by a failover appliance.... (I know
what such devices do, but I don't see how you are integrating it into this
solution, but that's your problem.)
: ok i will do it in text:
:
: 66.92.114.46 eth0
: 209.141.2.194 eth1
: 192.168.119.101 eth2
: 192.168.120.101 eth3
:
: What i have is a linux box RH7.3 which will eventually run Shorewall
: Firewall. On this box there is eth0 66.92.114.46 conneted to isp1 and
: eth1 209.141.2.194 connected to isp2 It also has eth2 192.168.119.101
: and eth3 192.168.120.101 which will connect to a failover appliance
: which has 2 wan interface and one lan interface.
:
: What i need is to have traffic going to eth0 be routed to eth2 and
: traffic going to eth1 routed to eth3, and vice versa.
This appears to be the rub! I assume for the purposes of my answer that
you don't want either of these pairs of networks knowing about the
others. This is essentially turning your linux box into two separate
routers....if this is not what you intend, at least it might get you
started.
You'll need to take the following steps:
- create routing tables for each of the sets of networks between
which you want to pass traffic
- modify the RPDB to select traffic based on the interface on which a
packet arrives
# -- numbers chosen here are arbitrary, but between 1 and 253
# labels are also completely arbitary
#
echo 4 public-link-0 >> /etc/iproute2/rt_tables
# -- table identifiers below are looked up in the above file
# (/etc/iproute2/rt_tables)
#
ip route add table public-link-0 192.168.119.0/24 dev eth2
ip route add table public-link-0 66.92.114.32/28 dev eth0
ip route add table public-link-0 default via 66.92.114.33 dev eth0
# -- numbers here are equally as arbitrary--use alabel
# that makes sense to you
#
echo 5 public-link-1 >> /etc/iproute2/rt_tables
ip route add table public-link-1 192.168.120.0/24 dev eth3
ip route add table public-link-1 209.141.2.192/27 dev eth1
ip route add table public-link-1 default via $GW_ON_ETH1 dev eth1
# Notice that this simply sets up the routing tables.
# Now you need to use the RPDB to ask for lookups to the routing table you
# wish to use.
# -- here we'll configure the policy routing to force packets
# coming to and from the separate networks through the right interfaces
#
ip rule add iif eth2 table public-link-0
ip rule add iif eth0 table public-link-0
ip rule add iif eth1 table public-link-1
ip rule add iif eth3 table public-link-1
# -- now flush the routing cache
#
ip route flush cache
Notes:
- - - - - -
- I can't simulate your setup....this may not work, and may not do
what you want
- locally generated traffic is a problem I don't deal with
- this will only allow packets to and from eth0 <--> eth2 and
eth1 <--> eth3
- you'll need to do masquerading with your packet filtering engine if
you want any of the rfc1918 networks to reach the internet
Oh, yes....by the way, Julian just responded to this. Read his
documentation and the iproute2 manual thoroughly and carefully. There is
more than enough to get you to where you want to go.
If you need an online iproute2 manual there are a few--try this one:
http://defiant.coinet.com/iproute2/ip-cref/node1.html
Good luck and bon voyage!
-Martin
: Right now i can ping eth0, eth1, eth2, eth3 on the box. I also can
: ping beyond eth0 and eth1. what i can not do is ping beyond eth2 and
: eth3.
:
: I have tried several table statements and played with pref to no avail.
:
: any insight would be helpful!
:
:
:
: -----Original Message-----
: From: Jose Luis Domingo Lopez [mailto:lartc@24x7linux.com]
: Sent: Tue 9/10/2002 2:39 PM
: To: lartc@mailman.ds9a.nl
: Cc:
: Subject: Re: [LARTC] 4 nic advanced routing question
:
: On Tuesday, 10 September 2002, at 12:34:10 -0400,
: Michael T. Babcock wrote:
:
: > I'm not sure why you're having a problem:
: > His document was encoded properly ...
: >
: Yes, multipart/alternative, but I think what the reader was trying to
: say us that the ASCII version of the email seems to include some kind of
: ASCII-art that depicts the sender's network. But at least in my email
: client the drawing seems broken and gives no clues about topology.
:
:
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2002-09-10 21:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-09-10 21:17 [LARTC] 4 nic advanced routing question update Thad Marsh
2002-09-10 21:49 ` Martin A. Brown [this message]
2002-09-11 0:03 ` Thad Marsh
2002-09-11 0:28 ` Thad Marsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-103169464805322@msgid-missing \
--to=mabrown-lartc@securepipe.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.