Hi All,
I am hoping someone can help me with a project I am doing at work. I warn
you in advance that this will be a long post, but I wanted to provide as
much information as I could to explain what was going on. Any help would be
very much appreciated and welcomed as my boss would like to see this up and
running this week. I have been scouring various
documents on advanced routing for a couple weeks now and I am just not 100%
sure if I have everything right or not. It seems for every question I
answer, two more pop up and I just want to try and clear up my confusion.
One of those areas of confusion is how iproute2 and iptables play together.
I know that routing sits below the rules on the stack but can't seem to
shake the thought that you can do the routing as well as the rulesets within
the iproute2 stack. So, I am seeing it as one thing handling both
functions, but my boss sees it as routes then tables. Can anyone clear that
u a bit for me?
Following is some details on my environment and what I am hoping to
accomplish:
ENVIRONMENT:
* CentOS 4.0 with all relevant patches & updates.
* Dell PowerEdge 2500: Lots of power, lots of room.
* 4 NIC's:
- eth0: LAN (192.198.0.2)
- eth0:1: Virtual interface (10.5.5.1)
- eth1: Public IP - Primary (1.1.1.1)
- eth2: Public IP - Secondary (2.2.2.2)
- eth3: DMZ (192.168.0.3); Public IP - Web/FTP Server (3.3.3.3)
* Software: iproute2; Snort (Possible future use); OpenSwan; Squid; BIND;
ProFTPD (Possible future use); Postfix; ClamAV; MailScanner; DoveCot;
SquirrelMail (Possible future use).
BACKGROUND:
I have been assigned to build a replacement firewall/router/gateway for my
company. I have been pretty much been given carte blanche to do what I want
here, but with a few suggestions on what my boss wants to see happen. My
boss built the current set-up and it has worked well, and I am still
relatively new to the company and will humbly admit a relatively
inexperienced sysadmin. I do however a good grounding in networking,
troubleshooting, hardware, etc...just not a lot of the hands on with the
bigger stuff.
We have two WAN connections (as above) for redundancy/failover, as well as
an external IP for our web server/ftp server which should be mapped to the
internal DMZ address. It is a separate box and we want to relocate it on
the DMZ so that it can take advantage of the failover. The virtual
interface is an alias off of the eth0 interface that will connect to a Cisco
PIX firewall in our parent office. My boss occasionally uses VNC/Remote
Desktop to remote in. We also want to use squid as a transparent proxy with
the hopes of minimizing bandwidth as well as some monitoring and traffic
control. We are looking at using some of the features in iproute2 to
explore traffic shaping in the future.
The current firewall setup is a iptables based firewall with inflex running
as well. This firewall sits behind an appliance that is supposed to be
handling the failover and the VPN connection but has not lived up to its
hype. As I said before I have read numerous documents including the LARTC
HOW-to and various supplementary materials from the net,
including mini-HOW-TO's, tutorials, etc.
CURRENT STAGE:
So far I have ip-up running a *.sh script from
/etc/sysconfig/networking-scripts that names the appropriate variables for
the four interfaces; sets up split access; defines a default interface and
attaches a weight to the default interface (I am assuming a higher weight
number means higher preference); all as per the examples in chapter 4 of the
LARTC HOW-TO. This first script then runs a second script that runs the
rules for the two WAN interfaces. The rules are based on my bosses previous
set up so I trust them to work fine. I have created the same sent of rules
for both eth1 & eth 2 in the same document. I found some information from
the LARTC mailing list archives that talks about setting up the DMZ but I
not sure I got it right. I added two tales into rt_tables as per chapter 4
as well.
I definitely know I haven't got the DMZ routing right and nothing for squid
as I am not sure where to even start with that. I am pretty sure I have the
OpenSwan setup up right but a little iffy on the routing for the connection.
BIND, PostFix, ClamAV, MailScanner & DoveCot were all working fine before I
started to mess with the rules, so I just want to
make sure I am accommodating them appropriately in the routing/rules as
well. I pretty much used the defaults on most of the stuff installed as our
needs aren't overly complicated right now.
Below is some output from rt_tables and my firewall script to show what kind
of a mess I have made so far:
rt-tables:
[EMAIL PROTECTED] ~]# ip route list
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.2
10.5.5.0/24 dev eth0 proto kernel scope link src 10.5.5.1
default via 192.168.0.1 dev eth0
[EMAIL PROTECTED] ~]# ip route list table default
[EMAIL PROTECTED]
