FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 11-03-2011, 01:34 AM
Fajar Priyanto
 
Default Centos Firewall - router with virtual IP

Hi all,
I haven't found anything in Google about this.

I'm creating a firewall router with Centos with few virtual IP using iptables.

May I ask for your experience?
Is there any pitfall or bad side of using virtual IP for this purpose?
I'm using few virtual IP to accommodate few subnets that go through
this firewall/router.

Thank you.
Fajar.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2011, 09:16 AM
News
 
Default Centos Firewall - router with virtual IP

Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
> Hi all,
> I haven't found anything in Google about this.
>
> I'm creating a firewall router with Centos with few virtual IP using iptables.
>
> May I ask for your experience?
> Is there any pitfall or bad side of using virtual IP for this purpose?
> I'm using few virtual IP to accommodate few subnets that go through
> this firewall/router.
>
> Thank you.
> Fajar.
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

I use shorewall for this
http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html

Amedeo
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2011, 01:21 PM
Ljubomir Ljubojevic
 
Default Centos Firewall - router with virtual IP

Vreme: 11/03/2011 11:16 AM, News piše:
> Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
>> Hi all,
>> I haven't found anything in Google about this.
>>
>> I'm creating a firewall router with Centos with few virtual IP using iptables.
>>
>> May I ask for your experience?
>> Is there any pitfall or bad side of using virtual IP for this purpose?
>> I'm using few virtual IP to accommodate few subnets that go through
>> this firewall/router.
>
> I use shorewall for this
> http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
+1

You also need to be sure what you want to do exactly. If subnets need to
be behind hat firewall, but routed and not NATed, then you are not to
use Virtual IP's, but to implement pass-through/routing. Virtual IP's
are only used for NAT-ing, not for routing subnets.

--

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2011, 09:14 PM
 
Default Centos Firewall - router with virtual IP

On Thu, 3 Nov 2011, Lorenzo Martínez Rodríguez wrote:


El 03/11/11 11:16, News escribió:

Hi all,
I haven't found anything in Google about this.

I'm creating a firewall router with Centos with few virtual IP using iptables.

May I ask for your experience?
Is there any pitfall or bad side of using virtual IP for this purpose?
I'm using few virtual IP to accommodate few subnets that go through
this firewall/router.


I would not know why there would be a problem. My external interface on my iptables
firewall has 30 ip addresses on it. Been running it that way for 8 or 10 years.


I use Firewall Builder http://www.fwbuilder.org to manage the ruleset
and I am very happy with it.



+1 for fwbuilder. I have been using it since it was version 1.x. It is now 5.x
and you would be hard pressed to pry it out of my cold dead hands. :-)


Besides the fact that the program does a very good job of managing iptables
firewalls, the devs are very responsive to bug fixes and feature enhancements.


Regards,

--
Tom me@tdiehl.org Spamtrap address me123@tdiehl.org__________________________________ _____________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2011, 09:59 PM
John R Pierce
 
Default Centos Firewall - router with virtual IP

On 11/02/11 7:34 PM, Fajar Priyanto wrote:
> I'm creating a firewall router with Centos with few virtual IP using iptables.
>
> May I ask for your experience?
> Is there any pitfall or bad side of using virtual IP for this purpose?
> I'm using few virtual IP to accommodate few subnets that go through
> this firewall/router.

now, when you say 'virtual IP', do you mean alias IPs on your WAN
(outside) interface(s), or multiple private subnets on the LAN (inside)
interface(s) ? none of those are 'virtual' in any sense I'd use that
adjective.


--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-03-2011, 11:43 PM
Fajar Priyanto
 
Default Centos Firewall - router with virtual IP

On Fri, Nov 4, 2011 at 6:59 AM, John R Pierce <pierce@hogranch.com> wrote:
> On 11/02/11 7:34 PM, Fajar Priyanto wrote:
>> I'm creating a firewall router with Centos with few virtual IP using iptables.
>>
>> May I ask for your experience?
>> Is there any pitfall or bad side of using virtual IP for this purpose?
>> I'm using few virtual IP to accommodate few subnets that go through
>> this firewall/router.
>
> now, when you say 'virtual IP', do you mean alias IPs on your WAN
> (outside) interface(s), or multiple private subnets on the LAN (inside)
> interface(s) ? * none of those are 'virtual' in any sense I'd use that
> adjective.

Hi John, thanks for asking.
My firewall setup is like this:
Physical NIC:
eth0 - to outside world
eth1 - to LAN
There is masquerading in eth0 so LAN can go to internet

Now, I'm adding some virtual interface eth1:0, eth1:1... so on to
accommodate new subnets created in the LAN.

My concern comes from question... how does the MAC addressing is
handled (by the switches and the OS)? Because wouldn't eth1:0, etc be
sharing the same MAC address as eth1? Will there be any problem or
confusion in the network?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-04-2011, 12:54 AM
John R Pierce
 
Default Centos Firewall - router with virtual IP

On 11/03/11 5:43 PM, Fajar Priyanto wrote:
> Now, I'm adding some virtual interface eth1:0, eth1:1... so on to
> accommodate new subnets created in the LAN.

whats the point of having multiple subnets on the same physical LAN
segment ? if you want to isolate separate local networks, you really
should use separate physical adapters with separate switches... or VLAN
switching if you have a switch that supports VLAN trunking.

anyways, whatever, yes, you can do it with iptables, but not all off the
shelf firewall script generators will support multiple LAN subnets. I
usually write my own iptables rulesets.

--
john r pierce N 37, W 122
santa cruz ca mid-left coast

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-04-2011, 01:15 AM
KevinO
 
Default Centos Firewall - router with virtual IP

On 11/03/2011 06:54 PM, John R Pierce wrote:
> On 11/03/11 5:43 PM, Fajar Priyanto wrote:
>> Now, I'm adding some virtual interface eth1:0, eth1:1... so on to
>> accommodate new subnets created in the LAN.
>
> whats the point of having multiple subnets on the same physical LAN
> segment ? if you want to isolate separate local networks, you really
> should use separate physical adapters with separate switches... or VLAN
> switching if you have a switch that supports VLAN trunking.
>
> anyways, whatever, yes, you can do it with iptables, but not all off the
> shelf firewall script generators will support multiple LAN subnets. I
> usually write my own iptables rulesets.
>
I can say first hand that fwbuilder easily handles managing scripts for multiple
subnets and aliased addressing on NIC's. I use separate interface cards for each
subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external
facing NIC)

--
KevinO
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-04-2011, 02:03 AM
Fajar Priyanto
 
Default Centos Firewall - router with virtual IP

On Fri, Nov 4, 2011 at 10:15 AM, KevinO <kevin@kevino.org> wrote:
>> anyways, whatever, yes, you can do it with iptables, but not all off the
>> shelf firewall script generators will support multiple LAN subnets. * I
>> usually write my own iptables rulesets.
>>
> I can say first hand that fwbuilder easily handles managing scripts for multiple
> subnets and aliased addressing on NIC's. I use separate interface cards for each
> subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external
> facing NIC)

Hi Kevin,
Expanding my original question.
I have a need to open and close iptables rules based on particular
time, say 1 week later, 1 month later, etc.
Currently I have a simple script to do that:
- Create the rules.
- Create atd job to delete the rule based on the defined time.
- Log it.
It works, but not elegant

Does fwbuilder have that function?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 11-04-2011, 03:17 AM
KevinO
 
Default Centos Firewall - router with virtual IP

On 11/03/2011 08:03 PM, Fajar Priyanto wrote:
> On Fri, Nov 4, 2011 at 10:15 AM, KevinO <kevin@kevino.org> wrote:
>>> anyways, whatever, yes, you can do it with iptables, but not all off the
>>> shelf firewall script generators will support multiple LAN subnets. I
>>> usually write my own iptables rulesets.
>>>
>> I can say first hand that fwbuilder easily handles managing scripts for multiple
>> subnets and aliased addressing on NIC's. I use separate interface cards for each
>> subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external
>> facing NIC)
>
> Hi Kevin,
> Expanding my original question.
> I have a need to open and close iptables rules based on particular
> time, say 1 week later, 1 month later, etc.
> Currently I have a simple script to do that:
> - Create the rules.
> - Create atd job to delete the rule based on the defined time.
> - Log it.
> It works, but not elegant
>
> Does fwbuilder have that function?
I'm not sure, and I don't have time to fire it up and check right now. I don't
have the latest version, anyway. I think there is an extensive manual on the
project's website and that will give you all of the details.


--
KevinO
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 01:29 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org