HELP! Multihomed & NAT

I've got an AlphaServer 1000A (Alpha processor) that I'm trying to use as
a host for a number of non-profits, and I'm having fits getting the
iptables firewalling and NAT set up on it.

I've installed RH7.2 (Debian3 was too much of a pain), and the system is
up and running, with all hardware configured/operating.

After beating my head against the wall (that's the hollow 'clonk' you've
been hearing) for the last few days, here's what I'm trying to
accomplish:

* "Tux" has 5 NICs: eth0-eth4.
* Wanting to host 3 websites, supporting ONLY http and SMTP/POP3 on eth0-
eth2 (IPs a.b.c.185/186/187).
* Want to use eth3 (a.b.c.189) as firewall for intranet on eth4 (static
IP 192.168.0.1). Would like to be able to use DHCP for IP addressing on
the intranet (eth4).

I've tried some of the build-your-own-firewall (NAT & multihomed) scripts
I've found on the net, but without success.

I'm not sure if it's my setup, or inherent with Redhat/Linux, but it
seems that if I leave the cable disconnected from one of the Internet-
designated NICs (eth0-eth3), I lose all Internet capability, even if the
others are connected. I have set the networking to assign the IPs to the
MACs of the NICs, versus aliases.

Any assistance and/or pointers would be *greatly* appreciated.

Dave Merriman

> * "Tux" has 5 NICs: eth0-eth4.
> * Wanting to host 3 websites, supporting ONLY http and SMTP/POP3 on eth0-
> eth2 (IPs a.b.c.185/186/187).
> * Want to use eth3 (a.b.c.189) as firewall for intranet on eth4 (static
> IP 192.168.0.1). Would like to be able to use DHCP for IP addressing on
> the intranet (eth4).
>
> I've tried some of the build-your-own-firewall (NAT & multihomed) scripts
> I've found on the net, but without success.
>
> I'm not sure if it's my setup, or inherent with Redhat/Linux, but it
> seems that if I leave the cable disconnected from one of the Internet-
> designated NICs (eth0-eth3), I lose all Internet capability, even if the
> others are connected. I have set the networking to assign the IPs to the
> MACs of the NICs, versus aliases.

This sounds like a routing problem. There shouldn't be anything inherent in
any flavor of Linux which would prevent you from making it work.

Send us the output of the 'route' command and maybe we can figure out what
your problem is.

--
To reply by email, change "deadspam.com" to "alumni.utexas.net"

David Merriman <(E-Mail Removed)> wrote in message news:<Xns943D5AE0A5E0Bdmerrimanbillingsvet@207.225 .159.7>...
> I've got an AlphaServer 1000A (Alpha processor) that I'm trying to use as
> a host for a number of non-profits, and I'm having fits getting the
> iptables firewalling and NAT set up on it.
>
> I've installed RH7.2 (Debian3 was too much of a pain), and the system is
> up and running, with all hardware configured/operating.
>
> After beating my head against the wall (that's the hollow 'clonk' you've
> been hearing) for the last few days, here's what I'm trying to
> accomplish:
>
> * "Tux" has 5 NICs: eth0-eth4.
> * Wanting to host 3 websites, supporting ONLY http and SMTP/POP3 on eth0-
> eth2 (IPs a.b.c.185/186/187).
> * Want to use eth3 (a.b.c.189) as firewall for intranet on eth4 (static
> IP 192.168.0.1). Would like to be able to use DHCP for IP addressing on
> the intranet (eth4).
>
> I've tried some of the build-your-own-firewall (NAT & multihomed) scripts
> I've found on the net, but without success.
>
> I'm not sure if it's my setup, or inherent with Redhat/Linux, but it
> seems that if I leave the cable disconnected from one of the Internet-
> designated NICs (eth0-eth3), I lose all Internet capability, even if the
> others are connected. I have set the networking to assign the IPs to the
> MACs of the NICs, versus aliases.
>
> Any assistance and/or pointers would be *greatly* appreciated.
>
> Dave Merriman

Not sure if this is what you want, but for the eth3-eth4 routing you
might want to use ipchains instead of iptables. Yes, I know that
sounds backwards, but I find ip masquerading (NAT) much simpler with
ipchains.

And the good part is: you should be able to run ipchains on your 2.4
kernel without any problem; it has backwards compatibility enabled.

As for a good resource, if you decide to take the big leap backwards
and use ipchains, there's a really good book that details how to get a
good firewall running on it: "Building Linux and OpenBSD Firewalls"
(http://www.amazon.com/exec/obidos/tg...2741?v=glance).
That book details about getting a standard firewall running (good for
eth0-3) and getting NAT/IPMASQ running (good for eth3-4). Just combine
them in a sensible manner, and off you go.

Hope this helped in some way

-icy.

> Not sure if this is what you want, but for the eth3-eth4 routing you
> might want to use ipchains instead of iptables. Yes, I know that
> sounds backwards, but I find ip masquerading (NAT) much simpler with
> ipchains.

iptables separates routing (the FORWARD table) from NAT (the NAT table).
Maybe this is more complicated. I don't have any experience with ipchains,
but I had no problem setting up a firewall and static router using
iptables.

> As for a good resource, if you decide to take the big leap backwards
> and use ipchains, there's a really good book that details how to get a
> good firewall running on it: "Building Linux and OpenBSD Firewalls"
> (http://www.amazon.com/exec/obidos/tg
detail/-/0471353663/104-4689293-9712741?v=glance).
> That book details about getting a standard firewall running (good for
> eth0-3) and getting NAT/IPMASQ running (good for eth3-4). Just combine
> them in a sensible manner, and off you go.

A similar book for iptables is "Linux Firewalls", 2nd ed., by Robert
Ziegler, from New Riders. It's a comprehensive description of firewalling
via iptables. Routing comes along for the ride. I started reading that
book with only a basic knowledge of IP, and came out the other side having
built my own firewall and static router by hand, using iptables. It takes
some time to get through, but the time is well-invested. I recommend it
highly.

I'm sure that David could solve his problem using either ipchains or
iptables, using the books that we've mentioned. ipchains will probably be
phased out relatively soon, but not so soon that David can't solve his
problem with it for now.

--
To reply by email, change "deadspam.com" to "alumni.utexas.net"

(E-Mail Removed) (icywind) wrote in
news:(E-Mail Removed) om:

.... <snip> ...

> As for a good resource, if you decide to take the big leap backwards
> and use ipchains, there's a really good book that details how to get a
> good firewall running on it: "Building Linux and OpenBSD Firewalls"
> (http://www.amazon.com/exec/obidos/tg.../104-4689293-9
> 712741?v=glance). That book details about getting a standard firewall
> running (good for eth0-3) and getting NAT/IPMASQ running (good for
> eth3-4). Just combine them in a sensible manner, and off you go.
>
> Hope this helped in some way
>
> -icy.

Many thanks - I'll try the books and (shudder!) go through the 'learning
experience' :-)

Dave