[TriLUG] OT: Router then Firewall

jonc jonc at nc.rr.com
Tue May 16 09:27:10 EDT 2006


Excellent info! A gem of a script too.
Certainly worthy of being repeated...

===<from Jason's original email>===
-----------------------------------------------------
#!/bin/sh
IF1=eth0
IF2=eth1
IP1=66.45.113.214 #IP address of eth0
IP2=133.37.29.34 #IP address of eth1
P1=66.45.113.213 #gateway for eth0
P2=133.37.29.33 #gateway for eth1
P1_NET=66.45.113.209 #network of eth0
P2_NET=133.37.29.30 #networkof eth1

ip route add $P1_NET dev $IF1 src $IP1 table T1
          ip route add default via $P1 table T1
          ip route add $P2_NET dev $IF2 src $IP2 table T2
          ip route add default via $P2 table T2

ip route add $P1_NET dev $IF1 src $IP1
            ip route add $P2_NET dev $IF2 src $IP2

ip route add default via $P2

ip rule add from $IP1 table T1
            ip rule add from $IP2 table T2
--------------------------------------------------
finally, add two routing table entires into /etc/iproute2/rt_tables:

echo "200 T1">>/etc/iproute2/rt_tables
echo "201 T2">>/etc/iproute2/rt_tables

once this was done the web server worked flawlessly, serving up pages to 
hosts regardless of whether they used the original IP address or the 
new one.  this way it didn't matter how long DNS changes took to 
propogate, both results worked equally well.

======

On Mon, 2006-05-15 at 16:25, Jason Tower wrote:
> you should be able to do this with either linux or openbsd, this might 
> point you in the right direction:
> 
> http://www.trilug.org/pipermail/trilug/Week-of-Mon-20031027/021269.html
> 
> not 100% identical to what you want to do but kinda sort of vaguely similar.
> 
> jason
> 
> Steve Hoffman wrote:
> > Can anyone suggest a decent router, that can also be used as a firewall 
> > with
> > NAT?  I was able to set a cisco 2500 series router to route between two
> > incoming connections by using route-maps.  I've recently purchased a Cisco
> > ASA 5510 to add a little more protection and was assured at the time of
> > purchase it could do what I needed..well, now I see that it can not.  If I
> > have to purchase a second one I will, but I'd rather have a good router 
> > that
> > can route between more then one inbound provider and restrict access to our
> > public interfaces.
> > 
> > Here's what I want...
> > 
> > All addresses are private IP's on the internal network (10.0.0.0/24)
> > 
> > A total of two incoming internet connections with three separate IP ranges
> > (2 /29's and 1 /28)
> > 
> > I'd prefer that all traffic go out via one default ip address UNLESS a NAT
> > rule is setup to translate to one of the 24 available IP addresses, at 
> > which
> > point the packet should go to the default gateway for that network....
> > 
> > I can't imagine I'm the first person to want this, but I guess I'm the 
> > first
> > to want to do it with an ASA?  On the surface the ASA can do everything
> > EXCEPT specify the next hop for an external internet connection.  It only
> > allows for one default route and doesn't allow for a "set default next-hop
> > xxx.xxx.xxx.xxx" as a router does...which shoots my whole plan to shit.
> > I've considered using RIP or OSPF, but unfortunately one of our internet
> > connections is a RR business class (hey..it's got great download speed)
> > connection that I can't alter the routing info so that's out.
> > 
> > As always, your words of wisdom are welcome.
> > 
> > Thanks,
> > Steve




More information about the TriLUG mailing list