I had been writing my own iptables rules for awhile, and then started
getting into some more complicated things (multiple zones with routing
between them, etc) and a friend referred me to shorewall.
Anyway, it''s been working great for me for a few weeks now, and
I''m
starting to get into some more complicated things.
-
First of all, I''d like to activate a second IP on my eth0 device (net).
I can do this easily enough by adding it into
/etc/sysconfig/network-scripts (I basically copy ifcfg-eth0 to
ifcfg-eth0:0 and change the name and ip entries). However, when I do
so, something gets messed up in the routing tables to the point that I
can''t get anywhere on the net with either interface - pings still sort
of work, and traceroutes become VERY slow, or nonresponsive. Everything
I''ve found in the faq and mailing lists suggest that the eth0:0 alias
notation is no longer valid with iptables, but I haven''t found any info
on how to actually set this up. I''ve enabled "multi" on eth0
in my
interfaces config file, but I still have the nasty routing problems.
The other weird thing is that once the routing problems start, it seems
to take a full reboot to fix them (often requiring me to replace the
whole /etc/sysconfig tree with a backup - no idea what''s going on
there).
-
My second question is somewhat unrelated, but is the cause for the first
question (I tried to activate my second IP after getting frustrated with
the stuff below).
I have an ftp server on my firewall box that I need to keep around, but
I now need to use the standard ftp ports to forward connections to
another machine on my network. The forwarding part is easy enough, but
when I tried to open up the new ports for the first ftp server, things
started getting weird in passive ftp mode. When things run over the
standard ftp port, I''ve never had any trouble connecting passively - I
assume that this is just iptables doing it''s nifty RELATED magic and
becoming aware of whatever high-num port the passive connection
chooses. I assumed that since that worked, I could just switch the
command port on the ftp server to another port, and the passive stuff
would continue working like it did before. Well, it doesn''t.
I''ve
gotten around this temporarily by limiting the port range that the
server uses for passive connections, and opening up that range to the
ip''s that need to connect, but I''d rather not do that.
Is there something built into iptables that recognizes passive ftp
connections, but only when the command port is 21? Or am I missing
something else completely?
-
And thirdly, completely unrelated, I''d like to start using HTB traffic
shaping, but have no idea where to start (I use redhat 7.3 on the server
and would like to stick with rpm''s as much as possible) - I''ve
updated
to the openmosix 2.4.20 kernel to get HTB itself, but read somewhere
that I need to patch iproute2, too. Is this still the case? are there
patched rpm''s out there? (if not, and someone points me to the patch,
I''ll write one up).
-
Anyway, I''m kind of lost here, so any help is appreciated
-Chris