First I would like to clear some questions I found on the internet.
Does IProute2 will work using 2 or more interfaces as DHCP clients?
Yes, I have it configure, you will just have to re-run the network script when the IP address's change, maybe a next lab, On the Script you just have to define the interfaces the GW and IP address does not need to be know.
Do I have to MAP the MAC address to make it work?
No, altough its is good security practice, its not really need it.
If I have to gateways defined when I use netstat -nr, the routing goes down?
Yes, unless you use IProute2, in that case both gateways are ignored, feature need it for DHCP interfaces.
Now, lest start with the configuration. The Network diagram I use to make this work is below, among with the interface name, I added the script Variable name just for reference:
We need iproute and networking (default installed) how to install:
ii iproute 20080725-2 networkis ii net-tools 1.60-22 The NET-t
Once again, here is mi Initial configuration, including how the netstat -nr table looks having 2 GWs. In order to make it run.
All this work was dond on a Soekris box !, the interface ath0 was configured in a WAP Wirelss connection.
ath0 - DCHP configured (155.17.122.x) eth0 - DHCP configured (192.168.1.x) eth1 - 10.10.10.254/24 eth2 - 172.16.32.254/24 # netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 ath0 184.108.40.206 0.0.0.0 255.255.255.0 U 0 0 0 eth0 172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1 0.0.0.0 220.127.116.11 0.0.0.0 UG 0 0 0 eth0 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 ath0
On the SOAD-IProute-2.sh you will just have to modify the interfaces with Internet access, the networks will share the internet and the Table's names.
If more networks needs to be added, you will have to create more variables and add the ip rules, remeber to add the del rule for the stop function to work !
Table1="Perot" Dev1="eth0 Table2="NocDell" Dev2="ath0" #LocalNetworks to Avoid NAT Net11="10.10.10.0/24" Net21="172.16.32.0/24"
On the second scriptSOAD-Firewall_Start.sh I call the variables already used on SOAD-IProute-2.sh, this give you the posibility to only use the Linux box as router and just define the variables in one script.
#Delete routes ip rule del from $Net11 to $Net11 2> NULL ip rule del from $Net21 to $Net21 2> NULL ip rule del from $Net21 to $Net11 2> NULL ip rule del from $Net11 to $Net21 2> NULL #Add routes ip rule add from $Net11 to $Net11 table main pref 3 ip rule add from $Net21 to $Net21 table main pref 4 ip rule add from $Net21 to $Net11 table main pref 5 ip rule add from $Net11 to $Net21 table main pref 6
You can use some other firewall to do the nats, lets say checkpoint for example. (Make sure to put the scripts on /etc/init.d)
. /etc/init.d/SOAD-IProute-2.sh .
The firewall script will NAT using the external IP address for each internet access, I have commented on the script the Logging rules, enable it when you need to debug the connections, and review you dmesg.
#iptables -t nat -A POSTROUTING -s $Net11 -o $Dev1 -j \ # LOG --log-prefix "NAT Internet Perot" iptables -t nat -A POSTROUTING -s $Net11 -o $Dev1 -j \ SNAT --to-source $IP1 #iptables -t nat -A POSTROUTING -s $Net21 -o $Dev2 -j \ # LOG --log-prefix "NAT Internet NocDell" iptables -t nat -A POSTROUTING -s $Net21 -o $Dev2 -j \ SNAT --to-source $IP2
Now the explanation about how IProute2 will work, First we need the Table names defined.
echo 1 $Table1 >> /etc/iproute2/rt_tables echo 2 $Table2 >> /etc/iproute2/rt_tables
We will have two routing tables on the Soekris box (linux), each routing table with his own default GW. We do this by running:
Now we just have to use IP rules to define when a packet will go to a specific Table. Adding a prefernce will give us the oportunity to redirect local interfaces's traffic to the main table, otherwise a simple ssh to the GW interface won't work.
ip route add default via $Gw1 dev $Dev1 table $Table1 ip route add default via $Gw2 dev $Dev2 table $Table2
ip rule add from $Net11 table $Table1 pref 100 ip rule add from $Net21 table $Table2 pref 101
The local "No-Routing" rules are defined as:
ip rule add from $Net11 to $Net11 table main pref 3 ip rule add from $Net21 to $Net21 table main pref 4 ip rule add from $Net21 to $Net11 table main pref 5 ip rule add from $Net11 to $Net21 table main pref 6
Now we undestand IProute2 and have the variables on the script set up, we just need to run:
It will start Firewall and Routing scripts, I've added an status parameter so we can review the routing tables and the NAT rules, without it iproute2 reviewing is a pain in the ass !!!
./SOAD-IProute-2.sh start Advance Routing Starting ....:. ./SOAD-Firewall_Start.sh start Starting Firewall and NAT Rules:.
-- Network routing Status
# ./SOAD-IProute-2.sh status ------------------------------- Print Table --Perot --- Interface eth0 - 18.104.22.168 Route for Perot default via 22.214.171.124 dev eth0 Rules for Perot 100: from 10.10.10.0/24 lookup Perot ------------------------------- Print Table --NocDell --- Interface ath0 - 192.168.1.231 Route for NocDell default via 192.168.1.254 dev ath0 Rules for NocDell 101: from 172.16.32.0/24 lookup NocDell ------------------------------- Print Table -- Main --- Route for Main 192.168.1.0/24 dev ath0 proto kernel scope link src 192.168.1.231 126.96.36.199/24 dev eth0 proto kernel scope link src 188.8.131.52 172.16.0.0/16 dev eth2 proto kernel scope link src 172.16.32.254 10.0.0.0/8 dev eth1 proto kernel scope link src 10.10.10.254 default via 184.108.40.206 dev eth0 default via 192.168.1.254 dev ath0 Rules for Main 3: from 10.10.10.0/24 to 10.10.10.0/24 lookup main 4: from 172.16.32.0/24 to 172.16.32.0/24 lookup main 5: from 172.16.32.0/24 to 10.10.10.0/24 lookup main 6: from 10.10.10.0/24 to 172.16.32.0/24 lookup main 32766: from all lookup main .
Now I give you the work of many weeks, the scripts.
# ./SOAD-Firewall_Start.sh status ------------------------------- Print NAT Table For Perot and NocDell--- Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.10.10.0/24 anywhere to:220.127.116.11 SNAT all -- 172.16.32.0/24 anywhere to:192.168.1.231