I''m sorry if this is to the wrong emailing list, if it is, please directly me where to post this question. I''m going to start this email with saying I _think_ I''ve read everything I can get my hands on about this subject, I''ve tried every example I can find, with no luck. The second issue is that I can not upgrade to netfilter/iptables because one of the applications I need requires "loose udp routing". Either the examples in the mailing list do not apply or I must be doing something wrong. Here is my problem, everything "works" but _all_ traffic goes out the 207.152.31.185 internet connection. Here is what I need to happen, when somebody connects to 216.254.12.42 port 80 that all traffic for that "session" be answered back as 216.254.12.42 plus go out that internet connection. At this point in time I''m almost willing to do anything. Any suggestions (or commands) to try would be very helpful, or a how-to. Here is my basic setup and config: I have 2 internet connections and 1 LAN private address space to place all my computers on. This is my LAN connection /sbin/ifconfig eth0 192.168.181.254 netmask 255.255.255.0 My first internet connection: /sbin/ifconfig eth1 207.152.31.185 netmask 255.255.255.0 And my SDSL connection: /sbin/ifconfig eth2 216.254.12.42 netmask 255.255.255.0 Then my gateway command: (Since I want traffic for right now to default out the First internet connection since it''s faster): /sbin/route add default gw 207.152.31.1 netmask 0.0.0.0 metric 1 Now I have a number of "static ip address" for each of my internet connections so I add those: /sbin/ip addr add 207.152.31.128 dev eth1 /sbin/ip addr add 207.152.31.127 dev eth1 /sbin/ip addr add 216.254.12.41 dev eth2 Now I start to setup IPChains: /sbin/modprobe ip_masq_ftp /sbin/modprobe ip_masq_raudio /sbin/modprobe ip_masq_irc /sbin/modprobe ip_masq_quake 26000,27000,27910,27960 echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/ip_always_defrag /sbin/ipchains -M -S 7200 10 160 /sbin/ipchains -P forward DENY /sbin/ipfwadm -F -a masquerade -W eth1 -S 192.168.181.0/24 -D 0.0.0.0/0 /sbin/ipfwadm -F -a masquerade -W eth2 -S 192.168.181.0/24 -D 0.0.0.0/0 Now, I have a number of services behind running on machine on the private address space so I portfwd those: /usr/sbin/ipmasqadm portfw -f /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.185 1701 -R 192.168.181.245 1701 /usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 1701 -R 192.168.181.245 1701 /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.185 1702 -R 192.168.181.251 1702 /usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 1702 -R 192.168.181.251 1702 /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 80 -R 192.168.181.251 80 /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 80 -R 192.168.181.250 80 /usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 80 -R 192.168.181.250 80 /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 22 -R 192.168.181.250 22 /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 22 -R 192.168.181.251 22 /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 53 -R 192.168.181.251 53 /usr/sbin/ipmasqadm portfw -a -P udp -L 207.152.31.128 53 -R 192.168.181.251 53 /usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 53 -R 192.168.181.251 53 /usr/sbin/ipmasqadm portfw -a -P udp -L 216.254.12.42 53 -R 192.168.181.251 53 /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 25 -R 192.168.181.251 25 /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 25 -R 192.168.181.250 25 Then I block some annoying people who like to scan my boxes: /sbin/ipfwadm -I -a reject -S 209.15.4.251/32 -D 0.0.0.0/0 -o /sbin/ipfwadm -I -a reject -S 129.62.102.40/32 -D 0.0.0.0/0 -o /sbin/ipfwadm -I -a reject -S 24.64.188.99/32 -D 0.0.0.0/0 -o Now thats my current setup. ------------------- JayC Daniel Senior Security Engineer Security Integration HCAHealthcare 615-344-6988 jay.daniel@hcahealthcare.com
Daniel Jay wrote:> > I''m sorry if this is to the wrong emailing list, if it is, please directly > me where to post this question. > > I''m going to start this email with saying I _think_ I''ve read everything I > can get my hands on about this subject, I''ve tried every example I can find, > with no luck. The second issue is that I can not upgrade to > netfilter/iptables because one of the applications I need requires "loose > udp routing". Either the examples in the mailing list do not apply or I > must be doing something wrong. > > Here is my problem, everything "works" but _all_ traffic goes out the > 207.152.31.185 internet connection. Here is what I need to happen, when > somebody connects to 216.254.12.42 port 80 that all traffic for that > "session" be answered back as 216.254.12.42 plus go out that internet > connection. >You will also notice if you''re using MASQ, that the responses will come back from 207.152.31.185 with connections, but not via tcp or udp. You can choose to have entire computers using the sdsl to access the internet. Make another routing table (you need policy routing) and use `ip rule` to have the packets from those comps go to a different table with it''s default route set to come from 216.254.12.42. If that isn''t granular enough, you can route based on IP mark, and have some rules on your incoming chain (in 2.2) change the mark, and use `ip rule` to use a different table. Another thing you can do, is have a port forward daemon do all this for you. Though, you won''t get the masqing and your servers will think all connections are from the gateway. This can be a temporary measure.> JayC Daniel > Senior Security Engineer > Security IntegrationHmm, nice title. What''d you have to do to get to that position? Mike