I need to set up following network architecture :
Internet ^ +-----------------+ | +------------------+ | Centos6-1 | | | Centos6-2 | | +---- eth0 + ----+ | | | (br0)| | | | | +---- eth1 +----------------+ eth0 | +-----------------+ +------------------+ ( cable connection )
Two public IP's are to be configured like follows :
+ **eth0** and **eth1** of **Centos6-1 are to be configured as a bridge with IP1 - **Centos6-1** can be accessed with IP1 - **eth0** of **Centos6-2** is configured with IP2 - any request destined to IP2 will flow through **Centos6-1**
How can i accomplish this feat?
There is a service running in the second server. This service will bind to IP2. what will happen
If i do the following in box1:
brctl addbr br0 ifdown eth0 ifdown eth1 ifconfig eth0 0.0.0.0 up ifconfig eth1 0.0.0.0 up ifconfig br0 IP1 ****
would it do what i want?
Thanks in advance.
On 4/16/2012 8:04 AM, Arif Hossain wrote:
I need to set up following network architecture :
Internet ^ +-----------------+ | +------------------+ | Centos6-1 | | | Centos6-2 | | +---- eth0 + ----+ | | | (br0)| | | | | +---- eth1 +----------------+ eth0 | +-----------------+ +------------------+ ( cable connection )
Two public IP's are to be configured like follows :
- **eth0** and **eth1** of **Centos6-1 are to be configured as a bridge
with IP1
- **Centos6-1** can be accessed with IP1
- **eth0** of **Centos6-2** is configured with IP2
- any request destined to IP2 will flow through **Centos6-1**
How can i accomplish this feat?
Not sure if I'm understanding this....
You're trying to present a service running on box 2 to the internet through box 1's public interface? (securely)
If so I might have a look at this software....
http://www.delegate.org/delegate/
You'll be able to create a reverse proxy on box 1 to box 2 or any services running on your internal network, etc.
I think i've failed to describe what i'm trying to do. So i'm describing it again.
The client will send request to the BOX2's IP. BOX1's IP used only for management purposes. All request destined to BOX'2 IP will go through BOX 1. BOX1's IP will not be available to clients. another thing is the service running in BOX2's is very sensitive to nat like stuffs. primary natting for client is managed externally. but no packet header modification(in case of iptables -t nat) is desirable. On Mon, Apr 16, 2012 at 9:16 PM, Ken godee ken@perfect-image.com wrote:
On 4/16/2012 8:04 AM, Arif Hossaiin wrote:
I need to set up following network architecture :
Internet ^ +-----------------+ | +------------------+ | Centos6-1 | | | Centos6-2 | | +---- eth0 + ----+ | | | (br0)| | | | | +---- eth1 +----------------+ eth0 | +-----------------+ +------------------+ ( cable connection )
Two public IP's are to be configured like follows :
- **eth0** and **eth1** of **Centos6-1 are to be configured as a bridge
with IP1
- **Centos6-1** can be accessed with IP1
- **eth0** of **Centos6-2** is configured with IP2
- any request destined to IP2 will flow through **Centos6-1**
How can i accomplish this feat?
Not sure if I'm understanding this....
You're trying to present a service running on box 2 to the internet through box 1's public interface? (securely)
If so I might have a look at this software....
http://www.delegate.org/delegate/
You'll be able to create a reverse proxy on box 1 to box 2 or any services running on your internal network, etc.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 17 Apr 2012 16:07:36 +0600 Arif Hossain aftnix@gmail.com wrote:
I think i've failed to describe what i'm trying to do. So i'm describing it again.
The client will send request to the BOX2's IP. BOX1's IP used only for management purposes.
You're looking for a bridging firewall, it probably should look like this:
+--------+ +---------- internet line | box1 | | | | | +--------+ | eth2---bad-+ | box2 | | |br| | | | | eth1--good-------eth1 | | | | | | eth0------+------eth0 | | | | | | +--------+ | +--------+ | lan
eth0 is the (optional) internal management network
you'll need the following configurations on box1:
In /etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0 TYPE=Bridge ONBOOT=yes DELAY=0 BOOTPROTO=none
In /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 HWADDR=<MAC> ONBOOT=yes BRIDGE=br0
In /etc/sysconfig/network-scripts/ifcfg-eth2 DEVICE=eth2 HWADDR=<MAC> ONBOOT=yes BRIDGE=br0
Restart your networking: service network restart
Verify the bridge is set up: brctl show
You probably want to netfilter your br0 device, I recommend shorewall:
Here is a short example. I'll put eth1 in zone good and eth2 in zone bad. eth0 will be in zone loc. I will allow all outgoing traffic from box2 to the internet and filter all incoming except for https and icmp ping. This example requires shorewall > 4.0. This example is for ipv4 only, ipv6 requires shorewall6.
In /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS
# Your isp inet br0 - bridge,proxyarp,routefilter bad br0:eth2 - physical=eth2 good br0:eth1 - physical=eth1
# local network loc eth0 detect routeback
In /etc/shorewall/zones #ZONE TYPE fw firewall loc ipv4 inet ipv4 bad:inet bport good:inet bport #END
In /etc/shorewall/policy #SOURCE DEST POLICY LOG
# allow local to firewall and vice versa loc fw ACCEPT fw loc ACCEPT
# the next line allows all outgoing (from good to bad) traffic. # you can also reject outgoing traffic and set single allow rules in # the file /etc/shorewall/rules (see below) good bad ACCEPT
# drop all other bad all DROP info all all DROP info #END
In /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST # e.g. allow ping and https only for public ip (1.2.3.4) ACCEPT bad good:1.2.3.4 tcp https ACCEPT bad good:1.2.3.4 icmp 8 #END
On Tue, Apr 17, 2012 at 6:54 PM, Benjamin Hackl b.hackl@focusmr.com wrote:
On Tue, 17 Apr 2012 16:07:36 +0600 Arif Hossain aftnix@gmail.com wrote:
I think i've failed to describe what i'm trying to do. So i'm describing it again.
The client will send request to the BOX2's IP. BOX1's IP used only for management purposes.
You're looking for a bridging firewall, it probably should look like this:
+--------+ +---------- internet line | box1 | | | | | +--------+ | eth2---bad-+ | box2 | | |br| | | | | eth1--good-------eth1 | | | | | | eth0------+------eth0 | | | | | | +--------+ | +--------+ | lan
eth0 is the (optional) internal management network
you'll need the following configurations on box1:
In /etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0 TYPE=Bridge ONBOOT=yes DELAY=0 BOOTPROTO=none
In /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 HWADDR=<MAC> ONBOOT=yes BRIDGE=br0
In /etc/sysconfig/network-scripts/ifcfg-eth2 DEVICE=eth2 HWADDR=<MAC> ONBOOT=yes BRIDGE=br0
Restart your networking: service network restart
Verify the bridge is set up: brctl show
You probably want to netfilter your br0 device, I recommend shorewall:
Here is a short example. I'll put eth1 in zone good and eth2 in zone bad. eth0 will be in zone loc. I will allow all outgoing traffic from box2 to the internet and filter all incoming except for https and icmp ping. This example requires shorewall > 4.0. This example is for ipv4 only, ipv6 requires shorewall6.
In /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS
# Your isp inet br0 - bridge,proxyarp,routefilter bad br0:eth2 - physical=eth2 good br0:eth1 - physical=eth1
# local network loc eth0 detect routeback
In /etc/shorewall/zones #ZONE TYPE fw firewall loc ipv4 inet ipv4 bad:inet bport good:inet bport #END
In /etc/shorewall/policy #SOURCE DEST POLICY LOG
# allow local to firewall and vice versa loc fw ACCEPT fw loc ACCEPT
# the next line allows all outgoing (from good to bad) traffic. # you can also reject outgoing traffic and set single allow rules in # the file /etc/shorewall/rules (see below) good bad ACCEPT
# drop all other bad all DROP info all all DROP info #END
In /etc/shorewall/rules #ACTION SOURCE DEST PROTO DEST # e.g. allow ping and https only for public ip (1.2.3.4) ACCEPT bad good:1.2.3.4 tcp https ACCEPT bad good:1.2.3.4 icmp 8 #END
thanks for the reply. i will try your solution and post results