Interface-1 is my primary Internet access and default gateway. It’s an
ADSL link at 5 Mbs with static IP’s. I get a call from the Cable company
with an offer I can’t refuse. Now I have a second Internet connection at
25 Mbs with a single dynamic IP address. I have a spare nic in the
server so interface-2 now connects to the Cable company.
The idea was to use interface-2 for web surfing but I can’t see any way
to route only port 80 and 443 traffic. /etc/sysconfig/SuSEfirewall2
allows me to specify the subnets and ports to forward but it doesn’t
seem to allow me to specify a particular interface.
How do I direct traffic to a particular interface based on port number?
–
Kevin Boyle
If you find this post helpful, please click on the star below!
This may be tricky. You’re talking about doing routing at layer 3 (IP)
based on data at layer 4 (TCP) which is encapsulated in IP and,
therefore, not really cared-about by the layer 3 stuff. Your default
gateway would be the easiest thing to change to get things going over
the Cable-based connection and then you could do the few things that
need the other connection some other way. If it’s all inbound traffic
of some sort (SSH, VPN, whatever) that you want to do over the other
interface with the static IP then that may work easily. Knowing more
about those services may help. Most of the time layer 4 switches tend
to be dedicated devices that are doing switching based on the
destination port and they only do it for a couple of destinations (LDAP
servers for example). I’ve also heard of people in a situation like
yours that basically use one connection until it dies and then failover
to the other one.
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
I’ve worked with a dual interface router and had issues with traffic
incoming via ISP #1 and the response sent via ISP #2. It does get messy,
especially when the ISP #2 interface uses NAT. I had hoped to keep this
relatively simple by only using the Cable ISP for surfing.
I think this will require a bit more research.
–
Kevin Boyle
If you find this post helpful, please click on the star below!
iptables -t nat -A PREROUTING -d ‘IP of eth1’ -p tcp --dports 80,443 -j DNAT --to ‘IP of eth2’.[/color]
--------------------[color=blue][color=green]
[/color]
Regards,
Tom[/color]
Hi Tom,
So far, I have been able to use the SuSEfirewall2 config file to
configure my firewall. I’ve read a bit about iptables and suspected that
at some point I would need to understand it better. It looks like that
day has arrived…
I don’t understand the need for the duplicate MASQUERADE entries. I
would think a single entry for each of the subnets should do. I
suspect it is just the way that SuSEfirewall2 generated the rules…
The new entries to the PREROUTING chain have no effect. All
outbount packets are via 111.111.111.111.
I don’t understand what DNAT refers to.
After a few minutes the nat table reverts back to the original
version without the additional entries to the PREROUTING chain. Do you
know why this might happen?
is running a squid proxy on the machine an option? Then you might want
to look at the tcp_outgoing_address option (an make sure your proxy will
only listen on an internal interface, like 127.0.0.1 if all requests
origin on the sam machine - http_port option)…
Regards,
Jens
–
from the times when today’s “old school” was “new school” :eek:
is running a squid proxy on the machine an option? Then you might want
to look at the tcp_outgoing_address option (an make sure your proxy will
only listen on an internal interface, like 127.0.0.1 if all requests
origin on the sam machine - http_port option)…
Regards,
Jens[/color]
Hi Jens,
This is a firewall machine. Most requests will originate from somewhere
on the LAN although some could/will originate from this server.
I’m relatively new to Linux with only a few years under my belt. I have
yet to play with a squid proxy or delve into iptables, both of which are
on my to do list.
I don’t think it is too unusual these days to have a second ISP for
backup or load balancing. I have configured a Netgear FVS336G dual WAN
router/firewall for a customer. It provides load balancing and fail-over
but creating rules is very time consuming and the device has throughput
limitations. In my area, the cable company is offering 100 megabit
service which can tax many small routers. I would think a SLES firewall
should be able to provide the capabilities I need and accommodate the
higher throughput. I’m surprised this issue hasn’t come up before…
I suspect iptables might be the solution. I’ll just have to make some
time to learn a bit more about it. If anyone is interested, I can
recommend a good book. It’s well organized and easy to read but there is
a lot of material to digest…
