Dual PVC connection
From: David Johnson (david_at_johnsondata.com.au)
Date: 12 Apr 2004 07:21:39 -0700
Fellow networking travellers
We are setting up a new internet connection and missing some important
steps for best security model. The ISP involved seems a bit green at
this as well.
What we have is a dual PVC coming into a ADSL router/modem. One PVC
(1) will be an internet connection. The second PVC (2) will be a
private GRE connection to a branch office. The router/modem brand has
been specified by the ISP as only one supported (Open Networks). It
only has one WAN input (the dual PVC) and one LAN output.
The (1) connection is a standard public IP address.
The (2) conneciton is a private IP address 192.168.150.x
As this particular router/modem has only "OK" firewall capability, we
wish to add an additional firewall (Snapgear Linux appliance) between
it and the head office network.
These requirement of (1) NAT and (2) routing are configurable by
iptables -t nat -I POSTROUTING -o $INTERNET_IF -s 192.168.x.212 -j
SNAT --to-source 203.185.x.x
iptables -A ExtAcc -d 192.168.x.212 -j ACCEPT
iptables -t nat -A PREROUTING -i $INTERNET_IF -p tcp --dport 80 -d
203.185.x.x -j DNAT --to-destination 192.168.x.212
etc is easy for (1) allowing public ports into internal servers. eg
web server access.
cp /etc/1 /proc/sys/net/ipv4/ip_forward
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
to route the private branch office subnet into the head office subnet
Is it possible to combine the 2 of them and still maintain a secure