Fedora Firewall with multiple public IPs

Tait Clarridge tait at clarridge.ca
Sat Oct 3 19:48:56 UTC 2009 

> > As far as I'm concerned, it should follow these ‘basic’ rules
> > 
> >  
> > 
> > ·         All traffic goes via my unlimited connection (with the 
> > exception of)
> > 
> > ·         Email – Goes via an SMTP relay for one of our providers, which 
> > has been added to our DNS
> > 
> > ·         SIP traffic goes via the same provider, as they provide a rock 
> > solid connection
> > 
> >  
> > 
> > If my A1 provider is absent for any reason, then use my B1 provider, 
> > until A1 comes backup. Any ideas, and suggestions will be appreciated J
> > 
> Make the cheap unlimited ISP the default route, use the mangle table to MARK the 
> connections you want to go through the other ISP, then use a source route based 
> on the MARK to force the packets out the non-default interface. Use the nat 
> table to SNAT the marked packets to the correct source address.
> 
> I do that at several sites.
> 

I recently did that for a VPN server, you could probably do something
like the following (after making the unlimited connection your default):

# Flush a route table (to make sure there is nothing in it)
# You can pick any number, I chose 300 

ip route flush table 300

# Delete the fwmark that we are going to use (0x50 is going to be used
here)

ip rule del fwmark 0x50

# Create the mangle table to mark source packets (SMTP for example)
# The --set-mark 80 is in correlation with the fwmark 0x50 (as 0x50 is
80 in hex)

iptables -t mangle -A OUTPUT -j MARK --set-mark 80 -p tcp --sport 25

# Do something similar for each of the SIP ports you want to open

# Set the default route for table 300

ip route add table 300 default via <your second connection gateway>

# Add the FWMARK rule to the table

ip rule add fwmark 0x50 table 300



You can easily MARK additional ports to send out the more stable
connection by adding more IPTABLES rules. 

Also, make sure that the ports have been opened in iptables so they can
get through.

Good luck,

Tait
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20091003/d97454d4/attachment-0001.sig>

More information about the fedora-list mailing list