[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: routing based on source IP

On Sun, 4 Jan 2004, Mickey Mullin wrote:
> Leonardo Boselli wrote:
>  > eth0:2 is a virtual port with a 172.16 address for private hosts (dhcp
>  > supply such addresses with our host as a gateway)
> It's not always a great idea to have your public and private networks on 
> the same ethernet port.  Depending on the card, you may have serious 
> performance issues, not to mention a potential security hole.
I tried using two different cards, and had more problem (incidentally: the
sistem used both card for both addresses so, althought it worked two times
faster [using two ports on the switch] logging and moinitoring was full
of warning about an address change ..)
For security concerns: Having separate would be nice, but in some cases i
cannot avoid the possibility that someone plug a machine that have to have
a private address on the "public" network. I have in effect some other way
to avoid abuses. 
>  > Requirements:
>  >  having a different routing for packets:
>  > 1.   sourcing from the host itself (that runs apache-ssl squid and 
> exim-4 and all these programs do no have problem in regognizing the sorcue of
>  > request ) except 5
> I don't understand exactly what you're saying here, but if you just want 
> to allow packets from the firewall/router, just create ACCEPT targets 
> for OUTPUTs on each of the interfaces (iptables):

I try to explain better: I need to have both separate firewall rules and
route tables if the packet is originated by the router itself or one of
assigned addresses (that is the dialin ports, that can be considered as
local users), in which case no firewall rule should be in effect and
routing is normal; or the packet enter from eth0/1/2 to be routed in which
case the routing table and firewall table is different .
>  > 4.  coming from eth1 only packets to that address.
> iptables -A INPUT -i eth1 -d $eth1_ip -j ACCEPT
should i add a deny rule to avoid someone on eth2 try to talk to the
address at the other end of eth1 ?
> I believe you're going to want to take a look at iproute2 (and other 
> aspects of advanced routing):
> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/index.html
> Specifically, there is an example for source policy routing (which 
> interface gets the masquaraded/forwarded packet happens outside of 
> iptables):
> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.simple.html

I try to read (tomorrow, now it is 2256 ...)

tnx for help

Reply to: