Shorewall users - Nov 2010 - Dealing with multiple public IP's

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I''ve just ordered a Comcast business class connection with 5 static IP
addresses.

Reading over the aliased interfaces documentation, I''m not real clear
on
what to do with /etc/shorewall/interfaces (if anything).

I''ll be setting up eth0:0-eth0:4 all in the net zone. I won''t
be doing
any one to one NAT, and a few port forwards for ssh, mail, VoIP,
webserver, etc (all on different external IP''s)

The only thing I have gleaned from the docs is that I would use
/etc/shorewall/interfaces only if I had multiple subnets to deal with?
Given that is not the case in my scenario (I run a 10.6.1.0/24 subnet on
the LAN) would I just omit /etc/shorewall/interfaces altogether?

Thanks,
Stephen


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAkzmYFAACgkQ3sJXNEncx7iL9wCeIYffp6R7g0INWBdHiNTkiJ8v
yjkAmwZhaAPYEDhqrku6PNuUXaa/AWeg
=WZWK
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev

On 11/19/10 3:32 AM, Stephen Brown wrote:
> I''ve just ordered a Comcast business class connection with 5
static IP
> addresses.
> 
> Reading over the aliased interfaces documentation, I''m not real
clear on
> what to do with /etc/shorewall/interfaces (if anything).
/etc/shorewall/interfaces is independent of the number of IP addresses
on the interface. I have Comcast business class with 5 static IPs, three
of which are configured on my external interface:

gateway:~# ip -4 addr ls dev eth1
4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc tbf state
UNKNOWN qlen 1000
    inet 70.90.191.121/29 brd 70.90.191.127 scope global eth1
    inet 10.1.10.11/24 brd 10.1.10.255 scope global eth1:3
    inet 70.90.191.122/29 brd 70.90.191.127 scope global secondary eth1:1
    inet 70.90.191.123/29 brd 70.90.191.127 scope global secondary eth1:2
    inet 70.90.191.124/29 brd 70.90.191.127 scope global secondary eth1
    inet 70.90.191.125/29 brd 70.90.191.127 scope global secondary eth1
gateway:~#

My Comcast business class router is configured with it''s LAN interface
as 10.1.10.0/24 (the default), so 10.1.10.11 is the primary address. The
top three public IP addresses are statically configured while the last
two are added when their corresponding Linux-vservers are started.

This the /etc/shorewall/interfaces entry for my external interface:

net    COM_IF	  detect \
dhcp,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs,upnp

Where /etc/shorewall/params contains:

COM_IF=eth1

-Tom
------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev

Thanks Tom... here''s what I ended up doing:

/etc/network/interfaces:
# eth0
# Comcast
auto eth0
iface eth0 inet static
address 70.90.228.197
netmask 255.255.255.248
gateway 70.90.228.198
up ip addr add 70.90.228.193/24 brd 70.90.228.255 dev eth0 label eth0:0
up ip addr add 70.90.228.194/24 brd 70.90.228.255 dev eth0 label eth0:1
up ip addr add 70.90.228.195/24 brd 70.90.228.255 dev eth0 label eth0:2
up ip addr add 70.90.228.196/24 brd 70.90.228.255 dev eth0 label eth0:3

This works as intended so far.

My next phase of this project will entail splitting all of my VoIP 
services and devices into their own seperate VLAN. What is the best way 
to force outbound traffic over a particular IP based on the port?

For example, I will have a server that lives at 10.5.10.2, and I want to 
push traffic originating from that server on UDP ports 4569, 5060, and 
10000:20000 to appear to have originated from 70.90.228.196 on the net 
side. I''ll also have some other servers, vm''s etc. in this
subnet using
various TCP/UDP ports that I would like to restrict to this address as 
well.

Thanks,
Stephen

On 11/19/10 11:34 AM, Tom Eastep wrote:
> On 11/19/10 3:32 AM, Stephen Brown wrote:
>> I''ve just ordered a Comcast business class connection with 5
static IP
>> addresses.
>>
>> Reading over the aliased interfaces documentation, I''m not
real clear on
>> what to do with /etc/shorewall/interfaces (if anything).
> /etc/shorewall/interfaces is independent of the number of IP addresses
> on the interface. I have Comcast business class with 5 static IPs, three
> of which are configured on my external interface:
>
> gateway:~# ip -4 addr ls dev eth1
> 4: eth1:<BROADCAST,MULTICAST,UP,LOWER_UP>  mtu 1500 qdisc tbf state
> UNKNOWN qlen 1000
>      inet 70.90.191.121/29 brd 70.90.191.127 scope global eth1
>      inet 10.1.10.11/24 brd 10.1.10.255 scope global eth1:3
>      inet 70.90.191.122/29 brd 70.90.191.127 scope global secondary eth1:1
>      inet 70.90.191.123/29 brd 70.90.191.127 scope global secondary eth1:2
>      inet 70.90.191.124/29 brd 70.90.191.127 scope global secondary eth1
>      inet 70.90.191.125/29 brd 70.90.191.127 scope global secondary eth1
> gateway:~#
>
> My Comcast business class router is configured with it''s LAN
interface
> as 10.1.10.0/24 (the default), so 10.1.10.11 is the primary address. The
> top three public IP addresses are statically configured while the last
> two are added when their corresponding Linux-vservers are started.
>
> This the /etc/shorewall/interfaces entry for my external interface:
>
> net    COM_IF	  detect \
>
dhcp,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs,upnp
>
> Where /etc/shorewall/params contains:
>
> COM_IF=eth1
>
> -Tom
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
>
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2&  L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today
> http://p.sf.net/sfu/msIE9-sfdev2dev
>
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users


------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev

On 11/21/10 8:13 AM, Stephen Brown wrote:
> 
> My next phase of this project will entail splitting all of my VoIP
> services and devices into their own seperate VLAN. What is the best way
> to force outbound traffic over a particular IP based on the port? 
> 
> For example, I will have a server that lives at 10.5.10.2, and I want to
> push traffic originating from that server on UDP ports 4569, 5060, and
> 10000:20000 to appear to have originated from 70.90.228.196 on the net
> side. I''ll also have some other servers, vm''s etc. in
this subnet using
> various TCP/UDP ports that I would like to restrict to this address as
> well.
Simply add the appropriate entries in /etc/shorewall/masq.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Beautiful is writing same markup. Internet Explorer 9 supports
standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
Spend less time writing and  rewriting code and more time creating great
experiences on the web. Be a part of the beta today
http://p.sf.net/sfu/msIE9-sfdev2dev