Adding a second internet connection + firewall

Hello All,

I have a 10.0.0.0/8 network with a firewall on 10.0.0.1 connected to the
internet through a fiber optics cable (subnet: 200.231.20.0/24);

this firewall has a rule to direct traffic coming to 200.231.20.38:80 to
a webserver on 10.0.0.5:80;

the webserver at 10.0.0.5 has 10.0.0.1 as its GATEWAY;

now I intend to add a second firewall on 10.0.0.2 that will be connected
to the internet through another connection on a DSL modem (subnet:
200.162.30.0/24);

this second firewall will direct traffic coming to 200.162.30.10:80 to
the same webserver on 10.0.0.5:80;

my question is:

if a connection is made from the internet to 200.162.30.10:80, can I be
sure that the outgoing packets of this connection will be sent thru the
second firewall (10.0.0.2) ?

TIA!

--
Otavio Exel /<\oo/>\ (E-Mail Removed)

On Thu, 26 Feb 2004 19:33:03 +0000, Otavio Exel wrote:

> Hello All,
>
> I have a 10.0.0.0/8 network with a firewall on 10.0.0.1 connected to the
> internet through a fiber optics cable (subnet: 200.231.20.0/24);
>
> this firewall has a rule to direct traffic coming to 200.231.20.38:80 to
> a webserver on 10.0.0.5:80;
>
> the webserver at 10.0.0.5 has 10.0.0.1 as its GATEWAY;
>
> now I intend to add a second firewall on 10.0.0.2 that will be connected
> to the internet through another connection on a DSL modem (subnet:
> 200.162.30.0/24);
>
> this second firewall will direct traffic coming to 200.162.30.10:80 to
> the same webserver on 10.0.0.5:80;
>
> my question is:
>
> if a connection is made from the internet to 200.162.30.10:80, can I be
> sure that the outgoing packets of this connection will be sent thru the
> second firewall (10.0.0.2) ?
>
> TIA!

No, it won't.

What you can do is SNAT incoming connections on the second firewall so
that it looks like 10.0.0.2 is connecting to the web server. Responses go
back to 10.0.0.2, and then onwards to the source. Rather like a nat-ed
lan, in reverse...

> On Thu, 26 Feb 2004 19:33:03 +0000, Otavio Exel wrote:
> >
> > if a connection is made from the internet to 200.162.30.10:80, can I be
> > sure that the outgoing packets of this connection will be sent thru the
> > second firewall (10.0.0.2) ?

joseph philip <(E-Mail Removed)> wrote:

hi Joseph,

> No, it won't.

rats! :-((

> What you can do is SNAT incoming connections on the second firewall so
> that it looks like 10.0.0.2 is connecting to the web server. Responses
> go back to 10.0.0.2, and then onwards to the source. Rather like a
> nat-ed lan, in reverse...

the said webserver has built in statistics and access control based on
client IP :-(( I certainly can simulate all this in the firewall
(10.0.0.2) but it will definitely be a PITA!

<QUESTION TYPE="probably stupid">
I've read about an IP option called "source routing". could this be used
to direct the outgoing packages back to 10.0.0.2 ?
Please just answer "yes" or "no"; in case it is "yes" I'll RTF to find
out what exactly "source routing" is.
</QUESTION>

many many thanks!

--
Otavio Exel /<\oo/>\ (E-Mail Removed)

On Fri, 27 Feb 2004 20:59:26 +0000, Otavio Exel wrote:

>> On Thu, 26 Feb 2004 19:33:03 +0000, Otavio Exel wrote:
>> >
>> > if a connection is made from the internet to 200.162.30.10:80, can I
>> > be sure that the outgoing packets of this connection will be sent
>> > thru the second firewall (10.0.0.2) ?
>
> joseph philip <(E-Mail Removed)> wrote:
>
> hi Joseph,
>
>> No, it won't.
>
> rats! :-((
>
>> What you can do is SNAT incoming connections on the second firewall so
>> that it looks like 10.0.0.2 is connecting to the web server. Responses
>> go back to 10.0.0.2, and then onwards to the source. Rather like a
>> nat-ed lan, in reverse...
>
> the said webserver has built in statistics and access control based on
> client IP :-(( I certainly can simulate all this in the firewall
> (10.0.0.2) but it will definitely be a PITA!
>
> <QUESTION TYPE="probably stupid">
> I've read about an IP option called "source routing". could this be used
> to direct the outgoing packages back to 10.0.0.2 ? Please just answer
> "yes" or "no"; in case it is "yes" I'll RTF to find out what exactly
> "source routing" is. </QUESTION>
>
> many many thanks!


Don't know about "source routing" but I have a suspicion that what's
outlined below is something close....

you will need that "ip" program for doing this. You might also need to use
iptables to mark packets.


On 10.0.0.5, you add a virtual interface eth0 is 10.0.0.5
eth0:0 is 10.0.0.6 , say, the new virtual interface (ip-aliasing is the
term, I think).


Start a second web server that listens on 10.0.0.6 Make 10.0.0.2 dnat
connections to 10.0.0.6, so that it hits the other web server running on
the same machine.

The replies will go out with a source ip of 10.0.0.6. On the web server,
create a second routing table that uses 10.0.0.2 as the default gateway,
and if the source ip is 10.0.0.6, use it. All others will use the default
routing table, going via 10.0.0.1 .


It's been too damn long since I messed with all this , or I would have
written the scripts and sent it out.

hope this helps