shorewall on centos
 

Task: setup shorewall with multiple public ips on a single external nic card to forward http and https requests to internal web server(s).

Proposed Solution: shorewall with 2 interfaces, external nic using aliases for multi-ip addressing and dnat rules for each public ip to each private ip for each secure domain.

Current problem: When I bind an alias to my external nic by copying the file /network-scripts/ifcfg-eth1 to /network-scripts/ifcfg-eth1:0 and then modifying the new file to suit new ip and card name and restarting the network service all seems well. The results of ifconfig show both nics and I can ping both addresses but I cant seem to get shorewall to recognize the eth1:0 nic.

Any advise is appreciated.

Also, is port forwarding for each alias the best solution or would 1 to 1 nat be better suited for this setup?

From the Shorewall documentation http://www.shorewall.net/Shorewall_a...nterfaces.html

The ifconfig utility is being gradually phased out in favor of the ip utility which is part of the iproute package. The ip utility does not use the concept of aliases or virtual interfaces but rather treats additional addresses on an interface as objects in their own right.

ip addr add 206.124.146.178/24 dev eth0

I use this method on a corporate firewall that has over 30 IP's with no problems.

where do you place this code and do you still need the ifcfg-ethX:X file under the network-scripts directory?

I run mine in rc.local, because I have some other things running there and it's convenient for me. You won't need an ifcfg-ethX:X file as the ip address is assigned to the dev ethX that you use.

Thank you. I added the code to rc.local and it works great.