Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
SuSEfirewall2, 3 nics, 2 ISPs, NAT, iproute2, dual routing tables... oh the humanity!
  • From: <nhoward@xxxxxxxxxxxxxxxxx>
  • Date: Mon, 19 May 2003 16:03:54 -0500 (CDT)
  • Message-id: <22052.207.64.152.20.1053378234.squirrel@xxxxxxxxxxxxxxxxxxxxxxxxx>
I am about to build a frankenstein monster out of my SuSE 8.1 Linux
internet server / NAT router-firewall machine.... at least I'm going to
try. Presently the machine has two nics in it, one is the external
internet nic and the other is an internal network nic, with an rfc1918
address, in the classic firewall/router/bastion-host setup.

I presently have a wireless ISP who gives me a static IP address, and the
bandwidth is good enough for hosting my vanity domain name web and email
servers but is not always so good (too much packet delay/latency) for my
online game playing from windows boxes on my interior network which is
NAT'ed by the Linux box as my internet router and firewall machine. Let's
call this one ISP "A".

I just signed up for a broadband cablemodem connection, which will only
give me a dynamic ip address that will change frequently. Let's call this
one ISP "B".

I wish to add a third nic into my Linux machine and have it connected to
both ISP's and have all my web/email/ssh server traffic running on that
Linux machine routed out to the internet via the nic connected to ISP "A"
and have my NAT'ed interior network traffic from the windows boxes routed
out via the nic connected to the cablemodem ISP "B".

Now if it weren't for my SuSEfirewall2 settings coming into play, I think
I can do this via setting up two different routing tables and taking
advantage of iproute2's abilities... I've found some config examples on
usenet and have read the howto at

http://lartc.org/howto/lartc.rpdb.multiple-links.html

to get the basic networking stuff supporting this abominable nightmare,
but I have grown too comfortable with my SuSEfirewall2 settings which make
me feel safer against keeping the booger-man out of my Linux machine and
the various other machines I have NAT'ed behind the Linux machine. From
what I've been able to see with my limited knowledge of SuSEfirewall2, it
seems that this wonderful iptables management tool is geared primarily for
the model of having one external nic, one internal nic, and perhaps also a
"dmz" third nic.

Can the SuSEfirewall2 in SuSE 8.1 (in present form as shipped) support
both my external nics and two ISP's and the multiple routing tables mess
that I desire to have the best of both worlds? If so, can anyone possibly
point me to some configuration examples showing me how to protect against
evil traffic coming inbound from both external interfaces while still
allowing desired traffic coming inbound from both nics, and allowing my
desired outbound traffic to go out the appropriate nic as specified in the
respective routing table?

Also, as if I'm not enough of a glutton for punishment... I may even wish
to add a fourth nic in the futire to be a NAT'ed "DMZ" of sorts on yet
another rfc1918 network address separate from my windows network, for the
purpose of placing a dedicated UT2003 server machine.

Am I asking for too much in expecting to be able to do this all with one
single Linux machine? I know it would probably be simpler to have dual
machines (or just get a cheap Linksys router), one for each ISP, but I'm a
cheap bastard who is out of money now after paying for two ISPs and would
like to try to make all this complicated mess work on a single Linux box.

Thanks for any help.
Neal



< Previous Next >
This Thread
  • No further messages