Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Third NIC (eth2)
« previous next »
Pages: [1]   Go Down

Third NIC (eth2)

  • 8 Replies
  • 1500 Views

Lloyd Keen

Third NIC (eth2)
« on: July 08, 2002, 07:44:46 PM »
I've just installed a third NIC in my SME 5.5 and was wondering if anyone knew how to configure the server to allow traffic through on this interface the same as eth1. I think something similar to Abe's 1 to 1 NAT stuff would do the trick but his notes say that you can't have multiple external IP's NATing to the same internal IP. I've setup the domain records to point to the IP at eth2. The interface is all configured but the firewall is blocking incoming traffic. Any help would be appreciated.
P.S Why I've done this is because I have 2 broadband connections - One is 3GB cable (eth1) to be used for LAN browsing/downloading etc and the other (eth2) is DSL with free uploads to be used for web serving/ftp upload sort of stuff.
Logged

guestHH

Re: Third NIC (eth2)
« Reply #1 on: July 08, 2002, 08:56:53 PM »
Hi,

Take a look at this:
http://www.star-support.com/downloads/mitel/contrib/Linux-HA/SME%20High%20Availability%20How-To.html

and examine step 3.

Maybe it helps.

Regards,
guestHH
Logged

Lloyd Keen

Re: Third NIC (eth2)
« Reply #2 on: July 08, 2002, 10:30:35 PM »
Yeah I did read that post before and I've pretty much done all up the part where cp /etc/e-smith/events/actions/conf-ethernet to /etc/e-smith/events/actions/conf-ethernetx. My problem seems to be that the firewall is blocking all traffic coming through on eth2. Will this step 3 update the masq rules?
Logged

guestHH

Re: Third NIC (eth2)
« Reply #3 on: July 09, 2002, 11:26:13 AM »
nope...
Logged

Luciano Terra

Re: Third NIC (eth2)
« Reply #4 on: July 15, 2002, 07:15:20 AM »
Eth2 complement (Static templated)
Based on 192.168.3.X lan


First:
http://forums.contribs.org/index.php?topic=14394.msg54824#msg54824

Next::::

MASQ Templates

/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/35transproxy

{
    my $transproxy = db_get_prop($confref, 'squid', 'Transparent') || "yes";
    my $status = db_get_prop($confref, 'squid', 'status') || "disabled";
    $OUT = '';
    return unless ($transproxy eq "yes" && $status eq "enabled");

    # Accept localhost apache access directly
    $OUT .= "    /sbin/ipchains --append input -p tcp " .
                    "--destination 127.0.0.1 80 -j ACCEPT\n";

    # Accept any accesses to the localIP directly
    $OUT .= "    /sbin/ipchains --append input -p tcp " .
                        "--destination $LocalIP 80 -j ACCEPT\n";

    if (defined $ExternalIP)
    {
        # Accept any accesses to the ExternalIP directly
        $OUT .= "    /sbin/ipchains --append input -p tcp " .
                        "--destination \$OUTERNET 80 -j ACCEPT\n";
    }

    #@locals contains all local networks, with the real local network first
    my $proxyport = db_get_prop($confref, 'squid', 'TransparentPort') || "3128";

    foreach my $network (@locals)
    {
        # Otherwise, divert port 80 traffic through our proxy
        $OUT .= "    /sbin/ipchains --append input" .
                        " -p tcp --source $network --destination 0.0.0.0/0 80" .
                        " -j REDIRECT $proxyport\n";
    }

}    /sbin/ipchains --append input -p tcp --source 192.168.3.0/255.255.255.0 --destination 0.0.0.0/0 80 -j REDIRECT 3128







/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowICMPfromLAN

# Allow outgoing ICMP
{
    my $result = "";

    my ($network, $broadcast) = esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);

    $result .= "    /sbin/ipchains --append output -p icmp --source $network/$LocalNetmask --destination 0.0.0.0/0 -j ACCEPT\n";

    my %networks;
    tie %networks, 'esmith::config', '/home/e-smith/networks';

    my $key;
    my $value;
    while (($key,$value) = each %networks)
    {
        my ($type, %properties) = split (/\|/, $value, -1);
        if ($type eq 'network')
        {
                $result .= "    /sbin/ipchains --append output -p icmp --source $key/$properties{'Mask'} --destination 0.0.0.0/0 -j ACCEPT\n";
        }
    }

    $result;
}    /sbin/ipchains --append output -p icmp --source 192.168.3.0/255.255.255.0 --destination 0.0.0.0/0 -j ACCEPT













/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40AllowTCPAckBitSet

/sbin/ipchains --append forward -s 192.168.0.0/255.255.255.0 -d 192.168.3.0/255.255.255.0 -j ACCEPT
    /sbin/ipchains --append forward -s 192.168.3.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j ACCEPT
    /sbin/ipchains --append input -s 192.168.3.0/255.255.255.0 -d 0/0 -j ACCEPT
    /sbin/ipchains --append output -d 192.168.3.0/255.255.255.0 -s 0/0 -j ACCEPT

    # Allow packets with ack bit set, they are from an established connection.
    /sbin/ipchains --append input ! -y -p tcp -s 0.0.0.0/0 -i $OUTERIF -j ACCEPT



/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/40masqLAN

{
        my $result = "";

        my ($network, $broadcast) = esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);

        $result .= "/sbin/ipchains --append forward -j MASQ --source $network/$LocalNetmask --destination 0.0.0.0/0\n";

        my %networks;
        tie %networks, 'esmith::config', '/home/e-smith/networks';

        my $key;
        my $value;
        while (($key,$value) = each %networks)
        {
            my ($type, %properties) = split (/\|/, $value, -1);
            if ($type eq 'network')
            {
                $result .= "    /sbin/ipchains --append forward -j MASQ --source $key/$properties{'Mask'} --destination 0.0.0.0/0\n";
            }
        }

        $result;
    }    /sbin/ipchains --append forward -j MASQ --source 192.168.3.0/255.255.255.0 --destination 0.0.0.0/0


/etc/e-smith/templates-custom/etc/rc.d/init.d/masq/98stop

{
#####STOP FIREWALL####
}
stop)
     echo ""
     echo -n "Shutting down IP masquerade and firewall rules:"
     /sbin/ipchains -P forward DENY
     /sbin/ipchains -P output ACCEPT
     /sbin/ipchains -P input {
     # Set "safe" default mode.
     ($SystemMode eq "serveronly") ? "ACCEPT" : "DENY"
}
     /sbin/ipchains -F input
     /sbin/ipchains -F output
     /sbin/ipchains -F forward
     /sbin/ipchains -F
{
    $OUT .= '';
    # Allow forwarding of local addresses, as we might be a VPN endpoint
    # in serveronly mode
    # @locals contains a list of local networks, with the real local
    # network first
    my @mylocals = @locals;
    my $local = shift @mylocals;
    $OUT .= "    /sbin/ipchains --append forward -s $local" .
                        " -d $local -j ACCEPT\n";
    foreach my $network (@mylocals)
    {
        $OUT .= "    /sbin/ipchains --append forward -s $network" .
                        " -d $local -j ACCEPT\n";
        $OUT .= "    /sbin/ipchains --append forward -s $local" .
                        " -d $network -j ACCEPT\n";
    }
}    /sbin/ipchains --append forward -s 192.168.3.0/255.255.255.0 -d 192.168.0.0/255.255.255.0 -j ACCEPT
    /sbin/ipchains --append forward -s 192.168.0.0/255.255.255.0 -d 192.168.3.0/255.255.255.0 -j ACCEPT
     /sbin/ipchains -X
     echo "             Done!"
     echo "" ;;




SQUID Template

/etc/e-smith/templates-custom/etc/squid/squid.conf/20ACL10localhost
{
    use esmith::util;

    my %networks;
    tie %networks, 'esmith::config', '/home/e-smith/networks';

    my ($network, $broadcast) =
esmith::util::computeNetworkAndBroadcast ($LocalIP, $LocalNetmask);
    my $localAccess = "127.0.0.1 $network/$LocalNetmask";

    foreach my $network
(grep { db_get_type(\%networks, $_) eq "network" } db_get(\%networks))
    {
my $mask = db_get_prop(\%networks, $network, 'Mask')
    || "255.255.255.0";
$localAccess .= " " .
    esmith::util::computeLocalNetworkSpec ($network, $mask);
    }

    $OUT .= "acl localsrc src $localAccess 192.168.3.0/255.255.255.0\n";
    $OUT .= "acl localdst dst $localAccess";
}
Logged

guestHH

Re: Third NIC (eth2)
« Reply #5 on: July 17, 2002, 12:11:15 AM »
Now how's _THAT_ for an answer...!

Thanks Luciano.

Regards,
guestHH
Logged

krustykev

Re: Third NIC (eth2)
« Reply #6 on: November 22, 2002, 01:20:38 PM »
That was one hell of an answer alright. Wouldn't be easier to create a subnet with a different workgroup. Or dont i have a clue what i am talking about?
Logged

krustykev

Re: Third NIC (eth2)
« Reply #7 on: November 22, 2002, 01:20:47 PM »
That was one hell of an answer alright. Wouldn't be easier to create a subnet with a different workgroup. Or dont i have a clue what i am talking about?
Logged

Tony Howden

Re: Third NIC (eth2)
« Reply #8 on: February 14, 2003, 08:39:18 AM »
Hi All

Just trying to clarify Luciano's comprehensive response.

"Eth2 complement (Static templated)
Based on 192.168.3.X lan"

Does this mean that its configured for two internal lans rather than 2 external interfaces as per the original request ?

I am attempting to configure the dual external interfaces eth0 as external with dhcp from the cable provider, and eth1 as the internal, eth2 as a second external with ADSL fixed ip address. This box is meant to act purely as a firewall/gateway to other SME boxes behind it.

I have started to implement from the suggested script templates for masq and squid, but the more I look at it the more I figure I am meant to swap the 192.168.3.x for my static ip allocation and hence probably modify the direction of some of these ipchain instructions so that the external interface is not 'trusted'.

Any help appreciated. Thanks.

cheers
Tony
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: Third NIC (eth2)