Routing Question

I have a reverse proxy in a DMZ, currently its only being used for one
application, now we need to use it for another application. the Proxy is
running apache, currently all traffic is forced to 443, new
application does not support HTTPS, needs to head to traffic 80. So I
figured i would add a 2nd NIC, bind it to another IP, create a new host
in apace all would be good.. Issue is the firewall guys want to restrict
what each IP can access.

so, 192.168.1.120(eth0) can ONLY access 10.10.10.10, 10.10.10.11 ,
10.10.10.12. traffic from 192.168.1.121 (eth1) can only access
10.10.10.13. Probably I'm having is all traffic going out as
192.168.1.120 (eth0). This seems so simple, but I can't seem to find a
answer. I have posted ifconfig and route

ifconfig
eth0 Link encap:Ethernet HWaddr 00:22:15:77:07:B1
inet addr:192.168.1.120 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::222:15ff:fe77:7b1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:410 errors:0 dropped:0 overruns:0 frame:0
TX packets:30 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:55579 (54.2 KiB) TX bytes:9702 (9.4 KiB)

eth1 Link encap:Ethernet HWaddr 00:22:15:76:F0:0A
inet addr:192.168.1.121 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::222:15ff:fe76:f00a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:448 errors:0 dropped:0 overruns:0 frame:0
TX packets:104 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:45923 (44.8 KiB) TX bytes:18147 (17.7 KiB)
Interrupt:17

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
192.168.122.0 * 255.255.255.0 U 0 0 0
virbr0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default 192.168.1.1 0.0.0.0 UG 0 0 eth1

Jeff Smith wrote:
[...]
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use
> Iface
> 192.168.1.0 * 255.255.255.0 U 0 0 0
> eth1
> 192.168.1.0 * 255.255.255.0 U 0 0 0
> eth0
This secound route for 192.168.1.0/24 will newer match.
You should think about using a IP from another net or splitting
192.168.1.0/24 into subnetworks (depends on you network topology).
Another thing would be some address-rewriting using iptables.

> 192.168.122.0 * 255.255.255.0 U 0 0 0
> virbr0
> 169.254.0.0 * 255.255.0.0 U 0 0 0
> eth0
> default 192.168.1.1 0.0.0.0 UG 0 0 eth1

Klaus

--
Klaus Zerwes
http://www.zero-sys.net

Jeff Smith <(E-Mail Removed)> écrivait
news:xsx2m.764847$yE1.702491@attbi_s21:

> I have a reverse proxy in a DMZ, currently its only being used for one
> application, now we need to use it for another application. the Proxy
> is
> running apache, currently all traffic is forced to 443, new
> application does not support HTTPS, needs to head to traffic 80. So I
> figured i would add a 2nd NIC, bind it to another IP, create a new
> host in apace all would be good.. Issue is the firewall guys want to
> restrict what each IP can access.

If Apache is the proxy you can listen to many port at the same time; in
your apache configuration file :

Listen 80
Listen 443

and add VirtualHost section :

<VirtualHost *:80>
....
<VirtualHost *:443>


You can also use 2 IP on the same NIC (in the same or different network).


Regards

Antoine EMERIT wrote:
> Jeff Smith <(E-Mail Removed)> écrivait
> news:xsx2m.764847$yE1.702491@attbi_s21:
>
>> I have a reverse proxy in a DMZ, currently its only being used for one
>> application, now we need to use it for another application. the Proxy
>> is
>> running apache, currently all traffic is forced to 443, new
>> application does not support HTTPS, needs to head to traffic 80. So I
>> figured i would add a 2nd NIC, bind it to another IP, create a new
>> host in apace all would be good.. Issue is the firewall guys want to
>> restrict what each IP can access.
>
> If Apache is the proxy you can listen to many port at the same time; in
> your apache configuration file :
>
> Listen 80
> Listen 443
>
> and add VirtualHost section :
>
> <VirtualHost *:80>
> ...
> <VirtualHost *:443>
>
>
> You can also use 2 IP on the same NIC (in the same or different network).
>
>
> Regards
>

Yes that part is ok, The problem I'm running into is the firewall guys
want to restrict access. So the server has two NIC's one (192.168.1.120
eth0), (192.168.1.121 eth1) they want to restrict what .120 is able to
access, and .121 is able to access. Problem is all traffic is leaving
out as eth0. So basically what i'm looking for is some way to route
traffic to 192.168.1.3, has to come out of eth1 (192.168.121)