3 internet links thru firewall to windows PC

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

3 internet links thru firewall to windows PC

wpc-2
i have 3 internet links.

2 coming through the same cisco router.

and one other coming through a separate router.

1 link is purely reserved for surfing the web.

while the other 2 links should be used to link to some
other organisation. The two links should be accessible
from one windows server inside the orgarnisation.

my question is,

how do i tell my SuSEFirewall to separate the traffic
for the 3 links, i want the windows server to sit
behind the firewall. probably in a DMZ.
but it's traffic should only  pass through one of the
other 2 links.

Also the internet traffic from the workstations should
only pass through the internet link.

thanks

  "Who the heck is General Failure, and why is he reading my harddisk?"
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: 3 internet links thru firewall to windows PC

polarizer
> how do i tell my SuSEFirewall to separate the traffic
> for the 3 links

This is usually not the job of Susefirewall, since it does not support
source based routing.

Check out "iproute2" to send outbound traffic over multiple links.

An in depth howto is the "Linux Advanced Routing & Traffic
Control" [1][2]

polarizer's 2 cent

[1] http://lartc.org/
[2] http://lartc.org/howto/lartc.iproute2.html




--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: 3 internet links thru firewall to windows PC

Benji Weber-2
In reply to this post by wpc-2
> i have 3 internet links.
>
> 2 coming through the same cisco router.
>
> and one other coming through a separate router.
>
> 1 link is purely reserved for surfing the web.
>
> while the other 2 links should be used to link to some
> other organisation. The two links should be accessible
> from one windows server inside the orgarnisation.
>
> my question is,
>
> how do i tell my SuSEFirewall to separate the traffic
> for the 3 links, i want the windows server to sit
> behind the firewall. probably in a DMZ.
> but it's traffic should only  pass through one of the
> other 2 links.

You can load additional custom rules into SuSEfirewall2 using the
/etc/sysconfig/scripts/SuSEfirewall2-custom file, after enabling it in
/etc/sysconfig/SuSEfirewall2. I'm not entirely sure if I understand your
question correctly, but we had 3 internet connections in our house last
year and did something like this (tried to simplify example so may have
introduced errors.

The methods for doing such things are described in full at lartc.org I
suggest you read there.

------

INTERNALNIC=eth0
EXTERNALNICA=eth1
EXTERNALNICB=eth2

EXTERNALIP=0.0.0.0

#clean up for restart
ip rule del fwmark 1 table interfacea.out
ip rule del fwmark 2 table interfaceb.out

#add rules to route packets marked with 1 with interfacea routing table
#and packets marked with 2 with interfaceb routing table
#you will need to have created these routing tables
ip rule add fwmark 1 table interfacea.out
ip rule add fwmark 2 table interfaceb.out

#delete default route
ip route del default

#add default route through interfacea
ip route add default via $externalipaddress dev $EXTERNALNICA table main

#set default route for interfacea routing table through interfacea ip
route del default table interfacea.out
ip route add default via $EXTERNALIPA dev $EXTERNALNICA table interfacea.out

#set default route for interfaceb routing table through interfaceb ip
route del default table interfaceb.out
ip route add default via $EXTERNALIPB dev $EXTERNALNICB table interfaceb.out

#mark everything for connection 1

iptables -t mangle -A PREROUTING -i $INTERNALNIC -d 0/0 -j MARK --set-mark 1

#now mark stuff we want to go over connection2

#ssh
iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 22 -j MARK
--set-mark 2

#http(s)
iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 80 -j MARK
--set-mark 2
iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 443 -j
MARK --set-mark 2

#irc
iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 6667  -j
MARK --set-mark 2
iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 6669  -j
MARK --set-mark 2 #ssl
iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp --dport 7070  -j
MARK --set-mark 2 #freenode alternative port

#put a specific machine on one connection

iptables -A PREROUTING -i $INTERNALNIC -t mangle -p udp -s 192.168.0.30 -j
MARK --set-mark 2
iptables -A PREROUTING -i $INTERNALNIC -t mangle -p tcp -s 192.168.0.30 -j
MARK --set-mark 2





--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: 3 internet links thru firewall to windows PC

Jon Clausen
On Wed, 27 Sep, 2006 at 07:53:01 +0100, [hidden email] wrote:

<snip>

> > my question is,
> >
> > how do i tell my SuSEFirewall to separate the traffic
> > for the 3 links, i want the windows server to sit
> > behind the firewall. probably in a DMZ.
> > but it's traffic should only  pass through one of the
> > other 2 links.
>
> You can load additional custom rules into SuSEfirewall2 using the
> /etc/sysconfig/scripts/SuSEfirewall2-custom file, after enabling it in
> /etc/sysconfig/SuSEfirewall2.

True.

> I'm not entirely sure if I understand your
> question correctly,

Me neither... :P

<snip>

> The methods for doing such things are described in full at lartc.org I
> suggest you read there.

Sound advice, but

> ------

<big snip>

In general...

If you want to do complicated routing/firewalling, but for some reason
aren't up to the task of understanding iptables...

Replace SuSEfirewall with Shorewall.

It's been a while since I last did anything serious with Shorewall (if you
don't count setting up proxyarping for use with my new ISP) and I'm not sure
where it's at these days, but:

Anything involving three WAN links, DMZ, server, LAN, and the rules to
control all that, *will* inherently become somewhat complicated.

What Shorewall does is substitue the horrors^H^H^H^H^H^H^H complexity of
iptables for a very comprehensive and supremely well documented set of
configuration files.

Basically Shorewall is vastly more capable than SuSEfirewall is, but still
manages to be human readable, which raw iptables (IMHO) is not.

HTH
/Jon
--
YMMV

--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here

Reply | Threaded
Open this post in threaded view
|

Re: 3 internet links thru firewall to windows PC

John Andersen
On Wednesday 27 September 2006 08:37, Jon Clausen wrote:
> Basically Shorewall is vastly more capable than SuSEfirewall is, but still
> manages to be human readable, which raw iptables (IMHO) is not.


Full ACK!

Shorewall is the way to go.

--
_____________________________________
John Andersen

attachment0 (196 bytes) Download Attachment