[ale] two connections to internet??

Bao C. Ha baoha at sensoria.com
Fri Aug 31 16:30:14 EDT 2001 


This is a good concrete example on how to do it using iproute2 and
iptables/netfilter.

Have anybody been successful with ipchains?  I have tried with
ipfwadm and it fails miserably.

Thanks.
Bao

> -----Original Message-----
> From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of James
> Kinney
> Sent: Thursday, August 30, 2001 11:42 AM
> To: hirsch at zapmedia.com
> Cc: Gary MacKay; ale at ale.org
> Subject: Re: [ale] two connections to internet??
> 
> 
> Almost right Michael. If you are using a properly configured 
> ISP to send
> mail to, if they get mail from another access point other 
> than one they
> have authenticated you on, it will get bounced. Earthlink is 
> very good at
> that.
> 
> The best solution is the NAT/firewall/port routing solution. 
> I have it up
> and running. It works great. 2 DSL lines, one fast and cheap 
> and dhcp, the
> other slow, expensive and static IP. All incomming mail, 
> http, ssh and ftp
> connection requests are allowed on the static and denied on 
> the dhcp. All
> internal mail is grabbed by the routing firewall and marked 
> to go out the
> static line. All return http goes out the static line.
> 
> excerpts from the firewall setup script:
> # load modules as needed
> /sbin/modprobe ipt_mac
> /sbin/modprobe ipt_limit
> /sbin/modprobe ipt_tos
> /sbin/modprobe ipt_mark
> /sbin/modprobe ipt_LOG
> /sbin/modprobe ipt_MARK
> /sbin/modprobe ipt_TOS
> /sbin/modprobe ipt_owner
> /sbin/modprobe ipt_state
> /sbin/modprobe ipt_unclean
> 
> # Turn on forwarding
> #
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
> 
> /sbin/iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK 
> --set-mark 1
> # use mindspring
> /sbin/iptables -t mangle -A OUTPUT -d 198.99.146.10 -j MARK 
> --set-mark 1
> # use mindspring news
> /sbin/iptables -t mangle -A OUTPUT -d 207.69.200.57 -j MARK 
> --set-mark 1
> # use mindspring mail
> /sbin/iptables -t mangle -A OUTPUT -d 207.69.188.185 -j MARK 
> --set-mark 1
> # use mindspring DNS
> 
> And from further down:
> 
> ### setup routing to handle the marks
> /sbin/ip ru del fwmark 1 table 1 pref 1010  #kills off 
> running versions
> /sbin/ip ro del default dev eth1 table 1     #kills off 
> running versions
> /sbin/ip ru del fwmark 2 table 2 pref 1020  #kills off 
> running versions
> /sbin/ip ro del default dev eth2 table 2     #kills off 
> running versions
> /sbin/ip ru del fwmark 5 table 10 pref 1000  #kills off 
> running versions
> /sbin/ip ro del default dev eth0 table 10     #kills off 
> running versions
> /sbin/ip ru add fwmark 0x1 table 1 pref 1010
> /sbin/ip ro add 0/0 via 199.174.105.193  dev eth1 table 1
> /sbin/ip ru add fwmark 0x2 table 2 pref 1020
> /sbin/ip ro add 10.0.0.0/0 dev eth2 table 2
> /sbin/ip ro add 0/0 dev eth2 table 2
> /sbin/ip ru add fwmark 0x5 table 10 pref 1000
> /sbin/ip ro add 192.168.0.0/24 via 192.168.0.2 dev eth0 table 10
> /sbin/ip ro flush cache
> 
> /sbin/ip ro li
> /sbin/ip ru li
> /sbin/ip ro li table 1
> /sbin/ip ro li table 10
> /sbin/ip ro li table 2
> 
> 
> eth0 in internal, eth1 is static, eth2 is dhcp.
> Add other specific blocks and locks as needed.
> 
> On Thu, 30 Aug 2001 hirsch at zapmedia.com wrote:
> 
> > Gary MacKay writes:
> >  > Fantastic idea! My only problem is that I'm OK at 
> routing, but far from
> >  > an expert. I'm not sure how to do it so that ONLY email 
> goes in/out the
> >  > DSL card and everything else uses the cable modem. My 
> goal is that all
> >  > the workstation traffic uses the cable modem. The _only_ 
> reason I have
> >  > DSL is for the static IP for the email/web server.
> >
> > Why not send all outgoing traffic out the cable modem since the only
> > point of the DSL is for incoming traffic.  There is no rule that
> > traffic has to go back the way it came in.
> >
> > So all you need to do is configure the DSL NIC to have the 
> proper IP,
> > then route everything out the cable NIC.
> >
> > --Michael
> >
> >  >
> >  >
> >  > Leonard Thornton wrote:
> >  > >
> >  > > Wht not build a single firewall with 3 Ethernet cards? 
> (2 external
> >  > > connection and 1 internal connection)  Setup you DSL 
> as a primary route
> >  > > and the cable as secondary in your routing entries.  
> Use NAT and
> >  > > prtforwarding to route traffic to your mail / web / 
> ftp servers on the
> >  > > internal network from the outside world.
> >  > >
> >  > > Gary MacKay wrote:
> >  > >
> >  > > > Ok, here's a weird question for you. I had 
> RoadRunner service and
> >  > > > recently installed a DSL line so I could have a 
> dedicated IP. (Yes, I'm
> >  > > > aware of dyndns.org, but choose not to for now.) 
> Currenly my firewall
> >  > > > box is connected to the DSL and my cable modem is 
> sitting here mocking
> >  > > > me with it's little blinking lights. It was way 
> faster than this DSL,
> >  > > > and I just can't bring myself to shut if off. My 
> question is, can I have
> >  > > > both? :) Something like this?
> >  > > >
> >  > > >
> >  > > >                      Internet             Internet
> >  > > >                          |                    |
> >  > > >                      firewall 1           firewall 2
> >  > > >                          |                    |
> >  > > >                          +------- hub --------+
> >  > > >                                    |
> >  > > >                                   / \
> >  > > >                               mail   workstation(s)
> >  > > >                               srvr
> >  > > >
> >  > > > I envision just setting the gateway address of my 
> workstion(s) to
> >  > > > firewall-2 so I can enjoy the fast connection for 
> every day browsing,
> >  > > > but the email/web server will use firewall-1 as it's 
> gateway so the
> >  > > > fixed IP will work for it. Will it work? An added 
> benefit would be if
> >  > > > one goes down, I could switch the gateway addr and 
> keep browsing!
> >  > > >
> >  > > > I realize I could split them apart as two seperate 
> networks, but then my
> >  > > > workstations would have to go out the cable modem 
> and back in the DSL
> >  > > > line to check email. Seems kind of wierd when the 
> boxes sit about four
> >  > > > inches apart!!
> >  > > >
> >  > > > - Gary
> >  > > > --
> >  > > > To unsubscribe: mail majordomo at ale.org with 
> "unsubscribe ale" in message body.
> >  > > >
> >  > > >
> >  > >
> >  > > --
> >  > > The difficult while you wait...the impossible overnight.
> >  > >
> >  > > Leonard Thornton
> >  > > Intelis, Inc
> >  > > leonard at intelis-inc.net
> >
> >
> >
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe 
> ale" in message body.
> >
> 
> -- 
> James P. Kinney III   \Changing the mobile computing world/
> President and COO      \          one Linux user         /
> Local Net Solutions,LLC \           at a time.          /
> 770-493-8244             \.___________________________./
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" 
> in message body.
> 
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list