|
|
 |
|
|||
 |
||||
 |
||||
|
__________ __________ Fedora Core 2 Server installation.
__________ Fedora Core 4 Server installation.
__________ Powerful Linux E-mail Server _________ To install webmin in fedora core 3 __________ INSTALLATION OF MRTG & RRD TOOL (Fedora Core2/ Redhat 8/ 9) __________ __________ _________ __________ ISP Servers IPtables firewall setup __________ _________ Linux Base POP/ POP3 and SMTP traffic Virus and Spam Scanning/ filtering Firewall _________ _________ _________ Bonding / Binding Multiple interfaces into single interface _________ Use more than 1 DSL modems without noticing disconnectivity
_________
|
All configuration are working fine in live/ LAB environments
Use more than 1 DSL modems without noticing disconnectivity OR Load balancing / sharing with 2 or more different ISP's connections
Configuration details:
» OS: Fedora Core-2 » Kernel: 2.6.5-1.356 » Kernel patch (available from) http://www.ssi.bg/%7Eja/#routes-2.6 » 3 LAN cards ( 1 for Internal LAN, and 2 for two DSL Modems)
In this Configuration we are configuring our Linux machine with 2 DSL modems, and configure routes , so if one modems goes down the traffic will automatically shift on another modem (if its connected :D), without noticing anyone. If you are a Administrator of your company then it is a good news for you ** you don't have to change cable or Gateway of machines after this setup. ** there is no restrictions, you can configure more than 2 modems. ** usage of both lines in same time. etc..
Many many thanks to Christoph Simon for typing "Nano-Howto to use more than one independent Internet connection" , this configuration is configured with the help of Christoph Simon HOWTO help. for detail view of this configuration, please visit his page.
First of First:
Preparing
the kernel
OR from http://www.ssi.bg/%7Eja/#routes-2.6 Choose the patches for your kernel, download them, and apply all of them.
Nothing
special is required to run this kernel (no boot options, etc.).
Abbreviation details used in this configuration:
IFi = eth3 (internal interface) IPi = 192.168.10.5 (IP address of internal interface) NWi = 192.168.10.0 (Network of internal interface) NMi = 255.255.255.0 OR /24 (netmask for the internal interface) ______________________ IFE1 = eth1 (external interface-1/ interface for modem-1) IPE1 = 192.168.1.14 (external interface-1 IP) NWE1 = 192.168.1.0 (external interface-1 network) NME1 = 255.255.255.0 OR /24 (external interface-1 netmask) BRD1 = 192.168.1.255 (external interface-1 Broadcast address) GWE1 = 192.168.1.2 (external interface-1 Gateway IP) ______________________ IFE2 = eth2 (external interface 2/ interface for modem-2) IPE2 = 10.16.10.5 (external interface-2 IP) NWE2
=
10.16.10.0 (external interface-2 network) NME2 = 255.255.255.0 OR /24 (external interface-2 netmask) BRD2 = 10.16.10.255 (external interface-2 Broadcast address) GWE2 = 10.16.10.1 (external interface-2 Gateway IP) ______________________
We want to give table main a priority of 50 to make sure it is looked at first. # ip rule add prio 50 table main Now we are removing default gateway, if there was no default gateway setup earlier the below mention command should give error, or it will execute fairly. #
ip route # iptables -t nat -A POSTROUTING -o eth1 -s 192.168.10.0/24 -j SNAT --to 192.168.1.14 # iptables -t nat -A POSTROUTING -o eth2 -s 192.168.10.0/24 -j SNAT --to 10.16.10.5 Setup
a State-full firewall: # iptables -t filter -N keep_state # iptables -t filter -A keep_state -m state --state RELATED, ESTABLISHED -j ACCEPT # iptables -t filter -A keep_state -j RETURN # iptables -t nat -N keep_state # iptables -t nat -A keep_state -m state --state RELATED, ESTABLISHED -j ACCEPT # iptables -t nat -A keep_state -j RETURN And calling this at the beginning of the script: # iptables -t nat -A PREROUTING -j keep_state # iptables -t nat -A POSTROUTING -j keep_state # iptables -t nat -A OUTPUT -j keep_state # iptables -t filter -A INPUT -j keep_state # iptables -t filter -A FORWARD -j keep_state # iptables -t filter -A OUTPUT -j keep_state No
we are adding default routes for each interface: # ip rule add prio 201 from 192.168.1.0/24 table 201 # ip route add default via 192.168.1.2 dev eth1 src 192.168.1.14 proto static table 201 # ip route append prohibit default table 201 metric 1 proto static # ip rule add prio 202 from 10.16.10.0/24 table 202 # ip route add default via 10.16.10.1 dev eth2 src 10.16.10.5 proto static table 202 # ip route append prohibit default table 202 metric 1 proto static The third line of each block is similar to a REJECT target in iptables in case he corresponding interface is not working: If the client on the local network sends a packet on an established connection, but in the meanwhile the interface stopped perating, we will send this client an ICMP controll message `PKT_FILTERED', hoping to cause it to stop sending packets, and the user might wish to open a new connection, which will succeed if at least one other line is still working. ___________________________ Now
adding multiple default routes. # ip rule add prio 222 table 222 # ip route add default table 222 proto static nexthop via 192.168.1.2 dev eth1 nexthop via 10.16.10.1 dev eth2 This is a multipath default route, causing the kernel to extract each time another alternative; there could be more than these two.
Note:
I made a
script of my above line and add this script in /etc/rc.local , so every
time my Server boots, these line add automatically.
Now
test your configuration: Let's check it out: ip address This should print on the terminal one entry for the local loopback, IFI, IFE1 and IFE2, and maybe some other things, if we have it configured (like my GRE tunnels). ip rule This should look like this: 0: from all lookup local 50: from all lookup main 201: from NWE1/NME1 lookup 201 202: from NWE2/NME2 lookup 202 222: from all lookup 222 32766: from all lookup main 32767: from all lookup default Table local is used for the local loopback, table main has the network routes to the internal network and for the external interfaces, which only give access to our gateways. Tables 201 and 202 (which also might have the same priority), will provide a default route if the local source address is known (because they have to match NWE1 or NWE2). And table 222 will provide the multipath route. The tables with priority 32766 and 32767 will not be used. ip route list table main Giving: NWI/NMI dev IFI proto kernel scope link src IPI NWE1/NME1 dev IFE1 proto kernel scope link src IPE1 NWE2/NME2 dev IFE2 proto kernel scope link src IPE2 These are only routes to the corresponding networks without using a gateway. ip route list table 201 Giving: default via GWE1 dev IFE1 proto static src IPE1 prohibit default proto static metric 1 And: ip route list table 202 Giving: default via GWE2 dev IFE2 proto static src IPE2 prohibit default proto static metric 1 These are the default routes requiring the local source address to be known. And finally: ip route list table 222 Giving: default proto static nexthop via GWE1 dev IFE1 weight 1 nexthop via GWE2 dev IFE2 weight 1
-------------Configuration Complete-------------
|
|
||
|
|
||||
