[ale] two connections to internet??
James Kinney
jkinney at localnetsolutions.com
Thu Aug 30 14:41:43 EDT 2001
Almost right Michael. If you are using a properly configured ISP to send
mail to, if they get mail from another access point other than one they
have authenticated you on, it will get bounced. Earthlink is very good at
that.
The best solution is the NAT/firewall/port routing solution. I have it up
and running. It works great. 2 DSL lines, one fast and cheap and dhcp, the
other slow, expensive and static IP. All incomming mail, http, ssh and ftp
connection requests are allowed on the static and denied on the dhcp. All
internal mail is grabbed by the routing firewall and marked to go out the
static line. All return http goes out the static line.
excerpts from the firewall setup script:
# load modules as needed
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_tos
/sbin/modprobe ipt_mark
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_MARK
/sbin/modprobe ipt_TOS
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_state
/sbin/modprobe ipt_unclean
# Turn on forwarding
#
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
/sbin/iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 1
# use mindspring
/sbin/iptables -t mangle -A OUTPUT -d 198.99.146.10 -j MARK --set-mark 1
# use mindspring news
/sbin/iptables -t mangle -A OUTPUT -d 207.69.200.57 -j MARK --set-mark 1
# use mindspring mail
/sbin/iptables -t mangle -A OUTPUT -d 207.69.188.185 -j MARK --set-mark 1
# use mindspring DNS
And from further down:
### setup routing to handle the marks
/sbin/ip ru del fwmark 1 table 1 pref 1010 #kills off running versions
/sbin/ip ro del default dev eth1 table 1 #kills off running versions
/sbin/ip ru del fwmark 2 table 2 pref 1020 #kills off running versions
/sbin/ip ro del default dev eth2 table 2 #kills off running versions
/sbin/ip ru del fwmark 5 table 10 pref 1000 #kills off running versions
/sbin/ip ro del default dev eth0 table 10 #kills off running versions
/sbin/ip ru add fwmark 0x1 table 1 pref 1010
/sbin/ip ro add 0/0 via 199.174.105.193 dev eth1 table 1
/sbin/ip ru add fwmark 0x2 table 2 pref 1020
/sbin/ip ro add 10.0.0.0/0 dev eth2 table 2
/sbin/ip ro add 0/0 dev eth2 table 2
/sbin/ip ru add fwmark 0x5 table 10 pref 1000
/sbin/ip ro add 192.168.0.0/24 via 192.168.0.2 dev eth0 table 10
/sbin/ip ro flush cache
/sbin/ip ro li
/sbin/ip ru li
/sbin/ip ro li table 1
/sbin/ip ro li table 10
/sbin/ip ro li table 2
eth0 in internal, eth1 is static, eth2 is dhcp.
Add other specific blocks and locks as needed.
On Thu, 30 Aug 2001 hirsch at zapmedia.com wrote:
> Gary MacKay writes:
> > Fantastic idea! My only problem is that I'm OK at routing, but far from
> > an expert. I'm not sure how to do it so that ONLY email goes in/out the
> > DSL card and everything else uses the cable modem. My goal is that all
> > the workstation traffic uses the cable modem. The _only_ reason I have
> > DSL is for the static IP for the email/web server.
>
> Why not send all outgoing traffic out the cable modem since the only
> point of the DSL is for incoming traffic. There is no rule that
> traffic has to go back the way it came in.
>
> So all you need to do is configure the DSL NIC to have the proper IP,
> then route everything out the cable NIC.
>
> --Michael
>
> >
> >
> > Leonard Thornton wrote:
> > >
> > > Wht not build a single firewall with 3 Ethernet cards? (2 external
> > > connection and 1 internal connection) Setup you DSL as a primary route
> > > and the cable as secondary in your routing entries. Use NAT and
> > > prtforwarding to route traffic to your mail / web / ftp servers on the
> > > internal network from the outside world.
> > >
> > > Gary MacKay wrote:
> > >
> > > > Ok, here's a weird question for you. I had RoadRunner service and
> > > > recently installed a DSL line so I could have a dedicated IP. (Yes, I'm
> > > > aware of dyndns.org, but choose not to for now.) Currenly my firewall
> > > > box is connected to the DSL and my cable modem is sitting here mocking
> > > > me with it's little blinking lights. It was way faster than this DSL,
> > > > and I just can't bring myself to shut if off. My question is, can I have
> > > > both? :) Something like this?
> > > >
> > > >
> > > > Internet Internet
> > > > | |
> > > > firewall 1 firewall 2
> > > > | |
> > > > +------- hub --------+
> > > > |
> > > > / \
> > > > mail workstation(s)
> > > > srvr
> > > >
> > > > I envision just setting the gateway address of my workstion(s) to
> > > > firewall-2 so I can enjoy the fast connection for every day browsing,
> > > > but the email/web server will use firewall-1 as it's gateway so the
> > > > fixed IP will work for it. Will it work? An added benefit would be if
> > > > one goes down, I could switch the gateway addr and keep browsing!
> > > >
> > > > I realize I could split them apart as two seperate networks, but then my
> > > > workstations would have to go out the cable modem and back in the DSL
> > > > line to check email. Seems kind of wierd when the boxes sit about four
> > > > inches apart!!
> > > >
> > > > - Gary
> > > > --
> > > > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> > > >
> > > >
> > >
> > > --
> > > The difficult while you wait...the impossible overnight.
> > >
> > > Leonard Thornton
> > > Intelis, Inc
> > > leonard at intelis-inc.net
>
>
>
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
>
--
James P. Kinney III \Changing the mobile computing world/
President and COO \ one Linux user /
Local Net Solutions,LLC \ at a time. /
770-493-8244 \.___________________________./
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list