"double" firewall network
31 Jul 2001 04:08:51 GMT
iptables won't do that.
Look into iproute2
Sadin Nurkic wrote:
> I have the following situation and was wondering what was the best
> way to attack it:
> 1 machine (1st fw) connected via DSL (i.e. high-speed), 2 interfaces
> eth0=internal subnet, eth1=DSL
> 2 extra machines on the same subnet (web and mail server)
> 3rd machine is a "second" firewall with 3 interfaces,
> eth0=subnet with the other fw,
> eth1=subnet with office machines
> ppp0=slow connection
> then there is a bunch of office machines connected on this "office subnet",
> some of these machines
> need to go through the "high-speed" connection, while others need to go
> thru the ppp0 interface
> of the 2nd fw.
> Only the DSL interface on the 1st fw, and the ppp0 interface on the 2nd fw
> have real IP addresses,
> all other interfaces are internal addresses.
> I know that this is really complex, but it is definetely NOT my idea to
> organise it like this,
> lets just say that the boss has no idea about anything...
> If I setup masquarading on the middle fw, because its default route is to
> go thru the 2nd
> fw, and not the machine on the other end of the ppp link, everything ends
> up going through
> there without even considering the -o ppp0 that i put in the iptables
> command for a specific
> source IP address.
> I've tried about a million different combinations of routes, iptables using
> SNAT or MASQ
> but no success, so I was wondering if anyone would have an idea on how to
> do this from scratch
> i.e. which addresses to use first, whether or not to use different
> addresses for "high-speed allowed"
> so they're on a diff subnet, or just do a default MASQ to go to
> highspeed,then one-by-one set rules
> for low speed to go thru ppp0?
> Any help with this would be greatly appreciated.
¡° Origin: ·s¼ÒÀÀ¥@¬É ¡» Mail: email@example.com (Matt Hellman)