LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-20-2004, 12:03 AM   #1
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Rep: Reputation: 30
two public ips on one nic for home office dns servers


Here is what I am trying to accomplish conceptually. I have two ip addresses to correspond to two dns servers on my home office adsl like in the diagram below. I currently have one nic configured for these two ip addresses (eth0 and eth0:0). I can ping both of these public ip addresses from the internal network.

I have several questions. I would appreciate any references to how-to's.

1. Do I need a bridge?
2. Can my linux box act as a bridge and what would the firewall rules look like?

ADSL   ---------  Linux  ---------  DMZ segment
Modem             Server                 PUBLIC IPs (66.77.88.xx and 66.77.88.yy)
                                 |
                                +-------------  Internal net
                                                     private IPs
 
Old 03-20-2004, 06:54 AM   #2
AutOPSY
Member
 
Registered: Mar 2004
Location: US
Distribution: Redhat 9 - Linux 2.6.3
Posts: 836

Rep: Reputation: 31
is something broke?
(nevermind just read that you said conceptually)

what would you need a firewal for in that kind of setup?

Last edited by AutOPSY; 03-20-2004 at 06:56 AM.
 
Old 03-20-2004, 11:25 AM   #3
usernamenumber
Member
 
Registered: Sep 2003
Location: Somerville, MA
Distribution: Fedora/RHEL currently. Red Hat, Slackware, Debian, SuSe and Mandrake at other times
Posts: 104

Rep: Reputation: 15
I think it would be more accurate to call the Linux box a router in this case, but yes, your Linux box can facilitate communication between all three networks.

You'll first need to make sure that ip forwarding is on on your system. You can do this by executing:

echo 1 > /proc/sys/net/ipv4/ip_forward

This should cause your kernel to start relaying packets that arrive on one interface and are destined for a network attached to another interface. The default is for this behavior to be off. Be warned that this change will not survive a reboot. To make the change persistent, you will have to either put the above command in rc.local or on most distributions you should have a /etc/sysctl.conf file. The preferred method would be to add

net.ipv4.ip_forward = 1

to that file.

After doing this your DMZ network should be able to communicate with the rest of the world. But your internal network has private, nonroutable IPs so you will have to do some NAT (network address translation). The iptables command you want would be something like:

iptables -t nat -A POSTROUTING -s <internal net/mask> -o <ADSL interface> -j MASQUERADE

This will cause all packets that are from your internal net and destined for the internet to have their source IPs swapped for the Linux box's public IP. Incoming replies to those packets then have their destination IPs swapped for the appropriate internal IP and are forwarded to the original sender.

Hope this helps!

--Brad
 
Old 03-20-2004, 09:45 PM   #4
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
I had a bridge setup for a while and it works great.

I would probably use a bridge for the DMZ and masquerade the private LAN.

See the Bridge HOWTO or search the forums for some examples. I posted one quite a while back.
 
Old 03-25-2004, 12:27 AM   #5
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Original Poster
Rep: Reputation: 30
thanks, this will take some thinking

Dave: you have some great posts on this subject. I'm not sure how I missed them with the search "two public IP address eth0". The second URL has a great discussion of the interworkings of ARP and TCP/IP protocol.

Anyway, i've collected some of them here for future reference.

http://www.linuxquestions.org/questi...ghlight=bridge

http://www.linuxquestions.org/questi...ghlight=bridge

I do have a couple of questions referencing my network layout.

1. Could I simplify things by making the "linux server" one of my DNS servers, giving it one of the two public IP addresses? That way, my wife won't complain about me running yet another PC.

2. Does it matter if the private network is attached via a hub, switch, or a router. I'm currently using a wireless router with with a 4-Port Switch (that also handles my wife's need to have a wireless connection; i've had so many bad experiences with wireless that I was amazed that the netgear Netgear WGR614 works like a charm.) In one of your postings, you kept emphasizing that the questioner was using a hub and i'm not sure of the difference between a hub and a switch in this context.

3. Is there a good text book for issues like this?
 
Old 03-27-2004, 03:05 PM   #6
DavidPhillips
LQ Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,163

Rep: Reputation: 58
The Linux server will handle all of the services without a problem. DNS is not going to cause any problem.


It should not matter how it is connected. However it may of course depend on the settings of the switch or router. I use a seperate interface for my wireless. Mainly due to the firewall setup. I am using openvpn over the wireless so only port 5000 is open.


I have not seen any books on this specific issue.
 
Old 08-10-2004, 02:32 PM   #7
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Original Poster
Rep: Reputation: 30
David: I am finally getting back to this long-delayed project. I have tried to make a script based on your posts that will allow a single network card to route two public IP addresses to two SOHO Apache/DNS/Mail Servers and masquerade PC's on a private SOHO network described above. I'm not a programmer so this probably needs extensive revision. Could you take a look at it?

#!/bin/sh
# A script called /etc/rc.d/rc.br0 to allow a single network card to route
# two public IP addresses to a pair of SOHO Apache/DNS/Mail servers
# based on a post by David Phillips at
# http://www.linuxquestions.org/questi...threadid=38890
#
# BEFORE RUNNING THIS SCRIPT, TAKE THE FOLLOWING FOUR STEPS
#
# STEP ONE: Back up network boot scripts and create replacements as follows:
# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0
.bak
#
# STEP TWO: Create new files for the interfaces and make the srcipt run at boot:
#
# echo DEVICE=eth0 > /etc/sysconfig/network-scripts/ifcfg-eth0
# echo onBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-eth0
# echo DEVICE=eth0:0 > /etc/sysconfig/network-scripts/ifcfg-eth0:0
# echo onBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-eth0:0
# echo DEVICE=br0 > /etc/sysconfig/network-scripts/ifcfg-br0
# echo onBOOT=no >> /etc/sysconfig/network-scripts/ifcfg-br0
# echo "/etc/rc.d/rc.br0" >> /etc/rc.d/rc.local
#
# STEP THREE: Make this script executable, chmod 755 /etc/rc.d/rc.br0
#
# STEP FOUR: Take down the interface before running the script, ifconfig eth0 down
#
# Now the script starts:

echo "#!/bin/sh" > /etc/rc.d/rc.br0
echo "brctl addbr br0" >> /etc/rc.d/rc.br0
echo "brctl addif br0 eth0" >> /etc/rc.d/rc.br0
echo "brctl addif br0 eth0:0" >> /etc/rc.d/rc.br0

echo "ip link set br0 up" >> /etc/rc.d/rc.br0
echo "ip link set eth0 up" >> /etc/rc.d/rc.br0
echo "ip link set eth0:0 up" >> /etc/rc.d/rc.br0

echo "Starting up Interface br0" >> /etc/rc.d/rc.br0
echo "This will take 60 seconds" >> /etc/rc.d/rc.br0

# Now you have THREE OPTIONS.
# OPTION #1:
# Use this if there is dhcp on the network.
#
# echo "dhcpcd br0" >> /etc/rc.d/rc.br0
#
# OPTION #2:
# Use this if the network uses manually assigned ip
# addresses and routing where xxx=the ip of choice and yyy=the
# default gateway. Note: you will need nameservers in /etc/resolv.conf
# for dns to work on this machine.
#
echo "ifconfig br0 xxx.xxx.xxx.xxx" >> /etc/rc.d/rc.br0
echo "route add default gw yyy.yyy.yyy.yyy" >> /etc/rc.d/rc.br0
#
# OPTION #3:
# Don't set an ip, the computer will not have an ip and will be invisible.
#
# Now we are ready to run the script to setup the bridge. You can just
# issue the command, /etc/rc.d/rc.br0 &

Last edited by rioguia; 08-10-2004 at 03:34 PM.
 
Old 08-10-2004, 02:52 PM   #8
arno
Member
 
Registered: Jul 2004
Location: Netherlands
Distribution: fedora core 8, suse 10.3, ubuntu 7.10, kamikaze 7.09
Posts: 515

Rep: Reputation: 30
You can use iptables I have posted an example at the following thread

http://www.linuxquestions.org/questi...hreadid=215175
 
Old 08-10-2004, 03:33 PM   #9
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Original Poster
Rep: Reputation: 30
Is there a reference in your script to eth0:0?

Is there a reference in your script to eth0:0? I don't understand how the script routes the second IP address. Can you explain that?
 
Old 08-10-2004, 03:48 PM   #10
arno
Member
 
Registered: Jul 2004
Location: Netherlands
Distribution: fedora core 8, suse 10.3, ubuntu 7.10, kamikaze 7.09
Posts: 515

Rep: Reputation: 30
Change your script into something like this

NAT_DNS_IP_1="66.77.88.xx"
DMZ_DNS_IP_1="192.168.31.xx"
NAT_DNS_IP_2="66.77.88.yy"
DMZ_DNS_IP_2="192.168.31.yy"


$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_DNS_IP_1 --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP_1
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $NAT_DNS_IP_1 --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP_1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $NAT_DNS_IP_2 --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP_2
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $NAT_DNS_IP_2 --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP_2
 
Old 08-10-2004, 03:52 PM   #11
arno
Member
 
Registered: Jul 2004
Location: Netherlands
Distribution: fedora core 8, suse 10.3, ubuntu 7.10, kamikaze 7.09
Posts: 515

Rep: Reputation: 30
Dont forget the following

$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP_1 \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _1\
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _1\
-j icmp_packets
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _2\
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _2\
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP _2\
-j icmp_packets
 
Old 08-10-2004, 04:27 PM   #12
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 680Reputation: 680Reputation: 680Reputation: 680Reputation: 680Reputation: 680
I am currently reading the book "Firewalls and Internet Security: Repelling the Wily Hacker"
You might want to pick it up, or read the first edition online at http://www.wilyhacker.com/1e . I don't have it at hand, but as I remember the recommended configuration is for one DNS outside the gateway which knows nothing about the computers inside, and one DNS inside the gateway ( local ) which knows nothing about outside computers.
 
Old 08-19-2004, 03:59 PM   #13
rioguia
Member
 
Registered: Jun 2002
Posts: 411

Original Poster
Rep: Reputation: 30
shorewall

i got this set up to work using shorewall.net firewall using the install instructions for a firewall with more than one public IP address as modified by the IP aliasing how-to at that same site. Shorewall basically configures standard iptables using a text file interface. Until I learn how to edit iptables directly, i will stick with the product.

Unfortunately for me, the shorewall how-to assumed at least 3 public IP addresses (one to spare for the firewall) so that the DMZ can be handled through proxy arp. I only had two IP's and had to use a more crude approach, essentially using DNAT for all external inquires for my DMZ servers and SNAT for outgoing traffic with the local network's outgoing traffic sharing the IP of my secondary server.

A further complication arises where all of my external http / dns / mail services are available on the internet but not internally. For the local machines to access the web, it will require a DNS split view on the DMZ servers or adding a third DNS server for local network PC's on the firewall to handle traffic from the local pc's. Since that seems like a separate issue, I will post a separate thread.

Last edited by rioguia; 09-20-2004 at 01:32 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SUSE9PRO-NIC Card works in office LAN but when at home causes siemans router to fail andersab Linux - Laptop and Netbook 1 05-02-2008 08:02 AM
Suse9Pro-NIC works at office but crashes home LAN andersab Linux - Hardware 1 03-01-2004 10:58 PM
2 live/public ips for single NIC ehpserver Linux - Networking 3 10-08-2003 07:00 PM
DNS Server for home office with firewall rioguia Linux - Networking 3 12-29-2002 08:05 PM
Multiple NIC cards - public and private IPs harryinjapan Linux - Networking 2 12-02-2001 04:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 11:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration