Re: Fedora Firewall with multiple public IPs

As far as I'm concerned, it should follow these ‘basic’ rules



· All traffic goes via my unlimited connection (with the
exception of)

· Email – Goes via an SMTP relay for one of our providers, which
has been added to our DNS

· SIP traffic goes via the same provider, as they provide a rock
solid connection



If my A1 provider is absent for any reason, then use my B1 provider,
until A1 comes backup. Any ideas, and suggestions will be appreciated J

Make the cheap unlimited ISP the default route, use the mangle table to MARK the
connections you want to go through the other ISP, then use a source route based
on the MARK to force the packets out the non-default interface. Use the nat
table to SNAT the marked packets to the correct source address.

I do that at several sites.


I recently did that for a VPN server, you could probably do something
like the following (after making the unlimited connection your default):

# Flush a route table (to make sure there is nothing in it)
# You can pick any number, I chose 300

ip route flush table 300

# Delete the fwmark that we are going to use (0x50 is going to be used
here)

ip rule del fwmark 0x50

# Create the mangle table to mark source packets (SMTP for example)
# The --set-mark 80 is in correlation with the fwmark 0x50 (as 0x50 is
80 in hex)

iptables -t mangle -A OUTPUT -j MARK --set-mark 80 -p tcp --sport 25

# Do something similar for each of the SIP ports you want to open

# Set the default route for table 300

ip route add table 300 default via <your second connection gateway>

# Add the FWMARK rule to the table

ip rule add fwmark 0x50 table 300



You can easily MARK additional ports to send out the more stable
connection by adding more IPTABLES rules.

Also, make sure that the ports have been opened in iptables so they can
get through.

Good luck,

Tait

Attachment: signature.asc
Description: This is a digitally signed message part

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Relevant Pages

  • Re: 2 NICs, 1 server
    ... The server is only able to route out one connection or the other at the ... The first one is to add an alternate IP address to the server in the same subnet, configure the non default router to forward incoming connections to the alternate IP address, and create a routing rule on the server saying to use the alternate routing table to route outgoing packets with the alternate source address. ... The second approach is to mark the incoming connections forwarded by the non-default router with iptables and create a routing rule saying to use the alternate routing table to route outgoing packets with the mark. ...
    (comp.os.linux.networking)
  • Re: What updates I did find require things to be working normally to install so I
    ... Unable to establish a connection between the PC and the deviceLinley Meslier posted on Friday, August 31, 2007 1:00 AM ... Dumping Route information ... LSP - RSVP UDP Service Provider ... LSP - MSAFD NetBIOS ...
    (microsoft.public.pocketpc.activesync)
  • Re: VPN and remote gateway
    ... > It seems you use the wrong route add command. ... > when the VPN connection is established. ... > | using the remote network as my gateway. ...
    (microsoft.public.windows.server.sbs)
  • Re: aes decrypt encrypt
    ... She wants to plan sophisticated implementations ... around Ollie's route. ... Just teaching in connection with a ozone ...
    (sci.crypt)
  • Re: cant access wired lan at same time as wifi link
    ... Do ipconfig on command prompt and give me the data, also give me the route ... handles our internet connection via proxy software. ... for and the instructions caused the ling between laptop and desktop to ... connected to the desktop via wifi. ...
    (microsoft.public.windowsxp.network_web)