Shorewall users - Apr 2003 - [multipath DMZ''d service]

Id like to do a SNAT from an internet source to a DNAT''d service behind
shorewall(I think).

Ultimately I want something like this:

                       My 2 firewall/gw''s (mail.myhost.com)
 -------|             |------------------------------------|
 x.x.x.x|----T1-A---->|  (66.x.x.x)  |DNAT|  192.168.1.1  
|->mail.myhost.com(192.168.1.3)
 inet   |----T1-B---->|  (161.x.x.x) |DNAT|  192.168.1.2  
|->mail.myhost.com(192.168.1.3)
 -------|             |------------------------------------|

 Where mail.myhost.com does NOT have to have the Default Gateway set to
either 192.168.1.1 or 192.168.1.2 so that either fw can negotiate a
DNAT''d
connection to mai.myhost.com.

 Is this possible?
 Cheers,
 Eric.

On Mon, 14 Apr 2003 redog@opelousas.org wrote:
>  Id like to do a SNAT from an internet source to a DNAT''d service
behind shorewall(I think).
> 
> Ultimately I want something like this:
> 
>                        My 2 firewall/gw''s (mail.myhost.com)
>  -------|             |------------------------------------|
>  x.x.x.x|----T1-A---->|  (66.x.x.x)  |DNAT|  192.168.1.1  
|->mail.myhost.com(192.168.1.3)
>  inet   |----T1-B---->|  (161.x.x.x) |DNAT|  192.168.1.2  
|->mail.myhost.com(192.168.1.3)
>  -------|             |------------------------------------|
> 
>  Where mail.myhost.com does NOT have to have the Default Gateway set to
> either 192.168.1.1 or 192.168.1.2 so that either fw can negotiate a
DNAT''d
> connection to mai.myhost.com.
> 
>  Is this possible?
Look at section 4.2.1 of the Linux Advanced Routing and Traffic Control 
HOWTO (link on "Useful Links" page at the Shorewall webside). I think
you
would want to follow that strategy for setting up routing on 
mail.myhost.com.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

#Tom Eastep> Look at section 4.2.1 of the Linux Advanced Routing and Traffic
Control
#Tom Eastep> HOWTO (link on "Useful Links" page at the Shorewall
webside). I think you
#Tom Eastep> would want to follow that strategy for setting up routing on 
#Tom Eastep> mail.myhost.com.

That''s close to what im trying to do but I want to do it with 2 hosts.

I have a solution but its more archanic than I''d like. I added on the
host that is not the default gw of 192.168.1.9 :

iptables -A PREROUTING -d x.x.x.x -i eth1 -p tcp -m tcp --dport 143 -j DNAT
--to-destination 192.168.1.9

iptables -A POSTROUTING -s ! 192.168.1.0/255.255.255.0 -d 192.168.1.9 -o eth0 -p
tcp -m tcp --dport 143 -j SNAT --to-source 192.168.1.4


and left the DNAT rule alone in shorewall on the default gw host. So the dns
entry points to either host and each host can manage the connection. Does this
seem resonable? It works but Im wondering if it might cause complications?
I''d rather find a loadbalancing solution but I cannot find any docs on
howto for my 2 gw setup. The scenerio at  section 4.2.1 of the Linux Advanced
Routing and Traffic Control HOWTO is close to what I''d like but thats
for one host handleing 2 possible routes, whereas im trying to add redundant
paths with 2 hosts/routes.

Cheers,
Eric

Hi Tom,

Currently I''m using shorewall with Bering 1.1 and are very happy with
it
:)
I just wonder how I could setup a Bering and shorewall for 2 ISP ( if it
possible )

My network are just like this :


   ISP A Router ---- Bering A ----- DMZ --- Bering B ------ ISP B Router
			                             |
			                             |
		                               Local Net

 Bering A Connect to ISP A Router using eth0
 Bering A Connect to DMZ using eth1
 Bering B Connect to DMZ using eth0
 Bering B Connect to ISP B Router using eth1
 Bering B Connect to Local Net using eth2
 Default Gateway for Bering A are ISP A Router IP
 Default Gateway for Bering B are ISP B Router IP

My Objective is, if ISP A get down, Bering B will automatically route
all traffic from local net and DMZ
to internet through ISP B Router and if ISP B get down, Bering A will
automatically route all local net and DMZ
To internet through ISP A Router. Local net will be masq to internet
using Bering B Public IP at eth1 for ISP B and
Public IP at eth0 for ISP A.

Can you Advice me on how I could archive this?
Thank You, Any point are Really Appreciates.
Zamri

On Wed, 16 Apr 2003, ijez wrote:
> Hi Tom,
> 
> Currently I''m using shorewall with Bering 1.1 and are very happy
with it
> :)
> I just wonder how I could setup a Bering and shorewall for 2 ISP ( if it
> possible )
> 
> My network are just like this :
> 
> 
>    ISP A Router ---- Bering A ----- DMZ --- Bering B ------ ISP B Router
> 			                             |
> 			                             |
> 		                               Local Net
> 
>  Bering A Connect to ISP A Router using eth0
>  Bering A Connect to DMZ using eth1
>  Bering B Connect to DMZ using eth0
>  Bering B Connect to ISP B Router using eth1
>  Bering B Connect to Local Net using eth2
>  Default Gateway for Bering A are ISP A Router IP
>  Default Gateway for Bering B are ISP B Router IP
> 
> My Objective is, if ISP A get down, Bering B will automatically route
> all traffic from local net and DMZ
> to internet through ISP B Router and if ISP B get down, Bering A will
> automatically route all local net and DMZ
> To internet through ISP A Router. Local net will be masq to internet
> using Bering B Public IP at eth1 for ISP B and
> Public IP at eth0 for ISP A.
> 
> Can you Advice me on how I could archive this?
> Thank You, Any point are Really Appreciates.
I have no experience with such configurations. I have experienced less
than an hour downtime with my ISP in the last year; with that sort of
reliablilty, it makes absolutely no sense for me to worry about failover.

There are other people on the list who do seem to worry about such things
-- hopefully one of them can help you...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

have a look at : http://www.lartc.org/

some good info on that subject there..


-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of ijez
Sent: woensdag 16 april 2003 5:27
To: Shorewall-users@lists.shorewall.net
Subject: [Shorewall-users] Shorewall With Multiple ISP


Hi Tom,

Currently I''m using shorewall with Bering 1.1 and are very happy with
it
:)
I just wonder how I could setup a Bering and shorewall for 2 ISP ( if it
possible )

My network are just like this :


   ISP A Router ---- Bering A ----- DMZ --- Bering B ------ ISP B Router
			                             |
			                             |
		                               Local Net

 Bering A Connect to ISP A Router using eth0
 Bering A Connect to DMZ using eth1
 Bering B Connect to DMZ using eth0
 Bering B Connect to ISP B Router using eth1
 Bering B Connect to Local Net using eth2
 Default Gateway for Bering A are ISP A Router IP
 Default Gateway for Bering B are ISP B Router IP

My Objective is, if ISP A get down, Bering B will automatically route
all traffic from local net and DMZ to internet through ISP B Router and
if ISP B get down, Bering A will automatically route all local net and
DMZ To internet through ISP A Router. Local net will be masq to internet
using Bering B Public IP at eth1 for ISP B and Public IP at eth0 for ISP
A.

Can you Advice me on how I could archive this?
Thank You, Any point are Really Appreciates.
Zamri



_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm