Hi, I have a suggestion for a new feature to Dachstein/Eigerstein LRP configuration files. The new feature allows LRP gateway admin to choose, which public IP number is used as masquerating source IP when internal workstations connect to external servers.
Someone else might have the same problem, so here is the trick we use. We have a masquerating LRP gateway between internal and external net. However, certain remote servers allow connections only from certain pre-fixed IP numbers. If all remote servers are configured to allow connections from the same IP number then we could set this public IP as the primary IP in LRP gateway (eth0_IPADDR parameter). The problem in our case is that external servers have been configured to allow connections from different IP numbers. Therefore the default eth0_IPADDR as a masq source doesn't work with all remote servers. The solution was to add new route entries using the default gateway _AND_ certain src IP. Here is the route command to do the trick. ip route add 206.130.e.f via 230.b.c.1 dev eth0 src 230.b.c.91 This command would use 230.b.c.91 as a source IP when internal workstations connect to 206.130.e.f remote server through masq LRP gw. All other destinations continue to use the normal eth0_IPADDR as a masq source (230.b.c.94 in our case). Please note that we have more than one public IP number and all of these have been added as alias addresses to eth0 interface (eth0_IP_EXTRA_ADDRS parameter). We added new parameter to network.conf file called _ALT_MASQIP and it takes two parameters. The first one is remote destination and the second param alternative masquerating source IP. This must be valid IP of your IP address space and it should be aliased to eth0 interface through _IP_EXTRA_ADDRS parameter. NETWORK.CONF ..etc.. eth0_IPADDR=230.b.c.94 eth0_MASKLEN=28 eth0_BROADCAST=230.b.c.95 eth0_IP_EXTRA_ADDRS=" 230.b.c.91 230.b.c.92 " # Alternative masq source IPs: targetIP/masqSrcIP eth0_ALT_MASQIP=" 206.130.e.f_230.b.c.91 # 206.130.e.f accepts connections from .91 only 206.131.g.h_230.b.c.92 # 206.131.g.h accepts connections from .92 only " ..etc... We added the handling of this _ALT_MASQIP parameter to if_up() function in network.conf file. It is executed when the interface is started up in a normal way. We added this route command right after the link was started and the default IP was set to the interface (_IPADDR). if_up () { eval local ALT_MASQIP=\${"$1"_ALT_MASQIP:-""} ..etc.. *) #default interface startup ..etc... for MASQIP in $ALT_MASQIP; do ip route add `echoMrkMark $MASQIP` \ via $DEFAULT_GW dev $1 src `echoBpSrc $MASQIP` done ..etc.. } I hope someone else finds this useful also. I saw that the Dachstein 1.0.2 release had new routing parameters, which "almost" did what we needed but not exactly. It was missing the src parameter from route command, so we still have to use this trick even if we would upgrade to Dachstein 1.0.2 CD/floppy release. I must say that LRP and Dachstein/Eigerstein teams have done outstanding job to provide this extremly flexible gateway/firewall package. Thanks. Best regards, Mika -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup 1 cent a minute calls anywhere in the U.S.! http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url=http://www.getpennytalk.com _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user