iptables: forwarding, masquerading, and high-availability

Jose Maria Lopez jkerouac at bgsec.com
Thu Sep 9 18:41:35 CEST 2004


El mié, 08 de 09 de 2004 a las 21:16, Bill Hayes escribió:
> I have a problem trying to create a high availability firewall/router setup. Multiple servers on the internal network should be masqueraded to appear as a single server on the external network.
> 
> The simplest case that fails for me looks like this...
> 
> 
> Configuration: SuSE 9.1 (linux 2.6.5, iptables 1.2.9, heartbeat 1.2.0)
> 
> firewall-1: eth0 = 192.168.1.1, eth1 = 10.1.1.1
> firewall-2: eth0 = 192.168.1.2, eth1 = 10.1.1.2
> 
>          +--------+
>          | server |
>          +----+---+
>               |
>     +---------+---------+
>     |        hub        |
>     +-+---------------+-+
>       |               |
> +-----+------+ +------+-----+
> | firewall-1 | | firewall-2 |
> +-----+------+ +------+-----+
>       |               |
>     +-+---------------+-+
>     |        hub        |
>     +---------+---------+
>               |
>           +---+----+
>           | router |
>           +---+----+
>               |
> 
> If I configure my servers to use 192.168.1.1 as their gateway, and tell all my clients that 10.1.1.1 is my server, then everything works as desired.
> 
> On to high availability, I configure my servers to use 192.168.1.3 as their gateway, and tell all my clients that 10.1.1.3 is my server. I start heartbeat and soon my firewalls now look like...
> 
> firewall-1: eth0 = 192.168.1.1, eth0:1 = 192.168.1.3, eth1 = 10.1.1.1, eth1:1 = 10.1.1.3
> firewall-2: eth0 = 192.168.1.2, eth1 = 10.1.1.2
> 
> Now, all my outgoing connections are established as before, but all the incoming connections fail with...
> 
> SFW2-INext-DROP-DEFLT
> 
> instead of succeeding with...
> 
> SFW2-FWDext-ACC-REVMASQ
> 
> I know that iptables treats virtual interfaces as if they are the underlying physical interface, thus eth1:1 should be eth1, and outgoing connections work, thus I have proof that eth0:1 is eth0, so what is happening? Why are the packets being dropped?
> 

What rules apply to each interface? Have in mind that even eth1:1 it's
the same interface (really it's just another IP in the machine) that
eth1 rules that apply to eth1 doesn't apply to eth1:1, because for Linux
both are completely different interfaces.

> Thanks to anyone that can help,
> Bill
> 
> wjh [at] sympatico [dot] ca
> hayes [at] mail [dot] ru
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"




More information about the netfilter mailing list