Hi,
I have a suggestion for a new feature to Dachstein/Eigerstein
LRP configuration files. The new feature allows LRP gateway
admin to choose, which public IP number is used as masquerating
source IP when internal workstations connect to external servers.
Someone else might have the same problem, so here is the trick we use.
We have a masquerating LRP gateway between internal and external net.
However, certain remote servers allow connections only from certain
pre-fixed IP numbers. If all remote servers are configured to allow
connections from the same IP number then we could set this public IP
as the primary IP in LRP gateway (eth0_IPADDR parameter).
The problem in our case is that external servers have been configured
to allow connections from different IP numbers. Therefore the default
eth0_IPADDR as a masq source doesn't work with all remote servers.
The solution was to add new route entries using the default gateway
_AND_ certain src IP. Here is the route command to do the trick.
ip route add 206.130.e.f via 230.b.c.1 dev eth0 src 230.b.c.91
This command would use 230.b.c.91 as a source IP when internal
workstations connect to 206.130.e.f remote server through masq LRP gw.
All other destinations continue to use the normal eth0_IPADDR as a
masq source (230.b.c.94 in our case). Please note that we have more than
one public IP number and all of these have been added as alias
addresses to eth0 interface (eth0_IP_EXTRA_ADDRS parameter).
We added new parameter to network.conf file called _ALT_MASQIP and
it takes two parameters. The first one is remote destination and
the second param alternative masquerating source IP. This must be
valid IP of your IP address space and it should be aliased to eth0
interface through _IP_EXTRA_ADDRS parameter.
NETWORK.CONF
..etc..
eth0_IPADDR=230.b.c.94
eth0_MASKLEN=28
eth0_BROADCAST=230.b.c.95
eth0_IP_EXTRA_ADDRS="
230.b.c.91
230.b.c.92
"
# Alternative masq source IPs: targetIP/masqSrcIP
eth0_ALT_MASQIP="
206.130.e.f_230.b.c.91 # 206.130.e.f accepts connections from .91 only
206.131.g.h_230.b.c.92 # 206.131.g.h accepts connections from .92 only
"
..etc...
We added the handling of this _ALT_MASQIP parameter to
if_up() function in network.conf file. It is executed when the
interface is started up in a normal way. We added this route
command right after the link was started and the default
IP was set to the interface (_IPADDR).
if_up () {
eval local ALT_MASQIP=\${"$1"_ALT_MASQIP:-""}
..etc..
*) #default interface startup
..etc...
for MASQIP in $ALT_MASQIP; do
ip route add `echoMrkMark $MASQIP` \
via $DEFAULT_GW dev $1 src `echoBpSrc $MASQIP`
done
..etc..
}
I hope someone else finds this useful also.
I saw that the Dachstein 1.0.2 release had
new routing parameters, which "almost" did
what we needed but not exactly. It was missing
the src parameter from route command, so
we still have to use this trick even if we
would upgrade to Dachstein 1.0.2 CD/floppy release.
I must say that LRP and Dachstein/Eigerstein teams have done outstanding
job to provide this extremly flexible
gateway/firewall package. Thanks.
Best regards,
Mika
--
_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
1 cent a minute calls anywhere in the U.S.!
http://www.getpennytalk.com/cgi-bin/adforward.cgi?p_key=RG9853KJ&url=http://www.getpennytalk.com
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
