Hi all, I haven't found anything in Google about this.
I'm creating a firewall router with Centos with few virtual IP using iptables.
May I ask for your experience? Is there any pitfall or bad side of using virtual IP for this purpose? I'm using few virtual IP to accommodate few subnets that go through this firewall/router.
Thank you. Fajar.
Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
Hi all, I haven't found anything in Google about this.
I'm creating a firewall router with Centos with few virtual IP using iptables.
May I ask for your experience? Is there any pitfall or bad side of using virtual IP for this purpose? I'm using few virtual IP to accommodate few subnets that go through this firewall/router.
Thank you. Fajar. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I use shorewall for this http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
Amedeo
El 03/11/11 11:16, News escribió:
Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
Hi all, I haven't found anything in Google about this.
I'm creating a firewall router with Centos with few virtual IP using iptables.
May I ask for your experience? Is there any pitfall or bad side of using virtual IP for this purpose? I'm using few virtual IP to accommodate few subnets that go through this firewall/router.
Thank you. Fajar. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I use shorewall for this http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
Amedeo _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I use Firewall Builder http://www.fwbuilder.org to manage the ruleset and I am very happy with it. For spanish list subscribers, here you have a post I have written for my blog: http://www.securitybydefault.com/2011/09/firewall-builder-la-gui-para-tu.htm...
On Thu, 3 Nov 2011, Lorenzo Martínez Rodríguez wrote:
El 03/11/11 11:16, News escribió:
Hi all, I haven't found anything in Google about this.
I'm creating a firewall router with Centos with few virtual IP using iptables.
May I ask for your experience? Is there any pitfall or bad side of using virtual IP for this purpose? I'm using few virtual IP to accommodate few subnets that go through this firewall/router.
I would not know why there would be a problem. My external interface on my iptables firewall has 30 ip addresses on it. Been running it that way for 8 or 10 years.
I use Firewall Builder http://www.fwbuilder.org to manage the ruleset and I am very happy with it.
+1 for fwbuilder. I have been using it since it was version 1.x. It is now 5.x and you would be hard pressed to pry it out of my cold dead hands. :-)
Besides the fact that the program does a very good job of managing iptables firewalls, the devs are very responsive to bug fixes and feature enhancements.
Regards,
Vreme: 11/03/2011 11:16 AM, News piše:
Il 03/11/2011 3.34, Fajar Priyanto ha scritto:
Hi all, I haven't found anything in Google about this.
I'm creating a firewall router with Centos with few virtual IP using iptables.
May I ask for your experience? Is there any pitfall or bad side of using virtual IP for this purpose? I'm using few virtual IP to accommodate few subnets that go through this firewall/router.
I use shorewall for this http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html
+1
You also need to be sure what you want to do exactly. If subnets need to be behind hat firewall, but routed and not NATed, then you are not to use Virtual IP's, but to implement pass-through/routing. Virtual IP's are only used for NAT-ing, not for routing subnets.
On 11/02/11 7:34 PM, Fajar Priyanto wrote:
I'm creating a firewall router with Centos with few virtual IP using iptables.
May I ask for your experience? Is there any pitfall or bad side of using virtual IP for this purpose? I'm using few virtual IP to accommodate few subnets that go through this firewall/router.
now, when you say 'virtual IP', do you mean alias IPs on your WAN (outside) interface(s), or multiple private subnets on the LAN (inside) interface(s) ? none of those are 'virtual' in any sense I'd use that adjective.
On Fri, Nov 4, 2011 at 6:59 AM, John R Pierce pierce@hogranch.com wrote:
On 11/02/11 7:34 PM, Fajar Priyanto wrote:
I'm creating a firewall router with Centos with few virtual IP using iptables.
May I ask for your experience? Is there any pitfall or bad side of using virtual IP for this purpose? I'm using few virtual IP to accommodate few subnets that go through this firewall/router.
now, when you say 'virtual IP', do you mean alias IPs on your WAN (outside) interface(s), or multiple private subnets on the LAN (inside) interface(s) ? none of those are 'virtual' in any sense I'd use that adjective.
Hi John, thanks for asking. My firewall setup is like this: Physical NIC: eth0 - to outside world eth1 - to LAN There is masquerading in eth0 so LAN can go to internet
Now, I'm adding some virtual interface eth1:0, eth1:1... so on to accommodate new subnets created in the LAN.
My concern comes from question... how does the MAC addressing is handled (by the switches and the OS)? Because wouldn't eth1:0, etc be sharing the same MAC address as eth1? Will there be any problem or confusion in the network?
On 11/03/11 5:43 PM, Fajar Priyanto wrote:
Now, I'm adding some virtual interface eth1:0, eth1:1... so on to accommodate new subnets created in the LAN.
whats the point of having multiple subnets on the same physical LAN segment ? if you want to isolate separate local networks, you really should use separate physical adapters with separate switches... or VLAN switching if you have a switch that supports VLAN trunking.
anyways, whatever, yes, you can do it with iptables, but not all off the shelf firewall script generators will support multiple LAN subnets. I usually write my own iptables rulesets.
On 11/03/2011 06:54 PM, John R Pierce wrote:
On 11/03/11 5:43 PM, Fajar Priyanto wrote:
Now, I'm adding some virtual interface eth1:0, eth1:1... so on to accommodate new subnets created in the LAN.
whats the point of having multiple subnets on the same physical LAN segment ? if you want to isolate separate local networks, you really should use separate physical adapters with separate switches... or VLAN switching if you have a switch that supports VLAN trunking.
anyways, whatever, yes, you can do it with iptables, but not all off the shelf firewall script generators will support multiple LAN subnets. I usually write my own iptables rulesets.
I can say first hand that fwbuilder easily handles managing scripts for multiple subnets and aliased addressing on NIC's. I use separate interface cards for each subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external facing NIC)
On Fri, Nov 4, 2011 at 10:15 AM, KevinO kevin@kevino.org wrote:
anyways, whatever, yes, you can do it with iptables, but not all off the shelf firewall script generators will support multiple LAN subnets. I usually write my own iptables rulesets.
I can say first hand that fwbuilder easily handles managing scripts for multiple subnets and aliased addressing on NIC's. I use separate interface cards for each subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external facing NIC)
Hi Kevin, Expanding my original question. I have a need to open and close iptables rules based on particular time, say 1 week later, 1 month later, etc. Currently I have a simple script to do that: - Create the rules. - Create atd job to delete the rule based on the defined time. - Log it. It works, but not elegant :)
Does fwbuilder have that function?
On 11/03/2011 08:03 PM, Fajar Priyanto wrote:
On Fri, Nov 4, 2011 at 10:15 AM, KevinO kevin@kevino.org wrote:
anyways, whatever, yes, you can do it with iptables, but not all off the shelf firewall script generators will support multiple LAN subnets. I usually write my own iptables rulesets.
I can say first hand that fwbuilder easily handles managing scripts for multiple subnets and aliased addressing on NIC's. I use separate interface cards for each subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external facing NIC)
Hi Kevin, Expanding my original question. I have a need to open and close iptables rules based on particular time, say 1 week later, 1 month later, etc. Currently I have a simple script to do that:
- Create the rules.
- Create atd job to delete the rule based on the defined time.
- Log it.
It works, but not elegant :)
Does fwbuilder have that function?
I'm not sure, and I don't have time to fire it up and check right now. I don't have the latest version, anyway. I think there is an extensive manual on the project's website and that will give you all of the details.
On Fri, 4 Nov 2011, Fajar Priyanto wrote:
On Fri, Nov 4, 2011 at 10:15 AM, KevinO kevin@kevino.org wrote:
anyways, whatever, yes, you can do it with iptables, but not all off the shelf firewall script generators will support multiple LAN subnets. I usually write my own iptables rulesets.
I can say first hand that fwbuilder easily handles managing scripts for multiple subnets and aliased addressing on NIC's. I use separate interface cards for each subnet, however. (5 NIC's, 4 internal subnets, 3 public IP's on the one external facing NIC)
Hi Kevin, Expanding my original question. I have a need to open and close iptables rules based on particular time, say 1 week later, 1 month later, etc. Currently I have a simple script to do that:
- Create the rules.
- Create atd job to delete the rule based on the defined time.
- Log it.
It works, but not elegant :)
Does fwbuilder have that function?
Fwbuilder does indeed have time objects in it, although I have never used them.
The docs at http://fwbuilder.org are pretty extensive and the devs hang out on the mailing lists and regularly answer questions or provide pointers to the relevant docs.
Hope this helps.
On Sat, Nov 5, 2011 at 11:19 PM, me@tdiehl.org wrote:
Does fwbuilder have that function?
Fwbuilder does indeed have time objects in it, although I have never used them.
The docs at http://fwbuilder.org are pretty extensive and the devs hang out on the mailing lists and regularly answer questions or provide pointers to the relevant docs.
Hi Tom! You're right. http://www.fwbuilder.org/4.0/docs/users_guide/time-interval-objects.html Perfect for me!! Thank you :)
-
Fajar Priyanto -
John R Pierce -
KevinO -
Ljubomir Ljubojevic -
Lorenzo Martínez Rodríguez -
me@tdiehl.org -
News