[CentOS] Samba and iptables - woes

Wed Apr 1 19:48:20 UTC 2009
D Tucny <d at tucny.com>

2009/4/1 Rob Kampen <rkampen at kampensonline.com>

> Scott Silva wrote:
>
>> What are you attempting to achieve? Having both nics on the same subnet
>> doesn't make a lot of sense to me.
>>
>>
> Scott
> Good point, I guess I'm suffering from incremental additions over the last
> 4 years and no real look at the overall architecture. I'm not sure what
> would work best.
> I have a T1 to the big bad internet world via a Linksys RV016 router and
> this used to deal with everything. The main server provides DNS, apache,
> ssh, smtp, pop and imap - all needing internet accessibility and then samba
> for file server that is only required locally. Then along came asterisk
> server and a Netgear PoE vlan switch to run the snom VoIP / SIP phones, with
> the * needing internet access but only one NIC. Then along came a 1G
> ethernet switch to improve access speeds to samba, hence the two NICs on the
> same subnet - the 100Mb for the internet facing services (although all these
> services also need to be accessed locally) and the 1Gb NIC for file serving
> to the five windoze clients. Then I wanted to add firewall to the server to
> deal with things like tripping up the port 22 script kiddies and then
> tripped up on the samba...... Confused yet?  I guess some careful thought
> needed to design this appropriately.
> I was considering having the server do IP forwarding, but this may not be
> smart as it already does too much. Thanks for the questions - helps me focus
> on the real issues.
> Rob - p.s. suggestions welcome
>

So, is the gigabit switch connected to the RV016?

I'd guess so, so that your client machines can reach the internet... In
which case, there's no need to connect the server to the routers built in
switch too... By the sounds of it, you don't need multiple nics for what you
are trying to do... Perhaps the issue is that you are using the 'DMZ port'
on the router to make the server internet accessible? You can also use the
routers port forwarding functionality to forward each individual service to
the server and not use the DMZ port, then you can simplify your config
leaving your server with a single interface and a single IP address... If
you wanted to get cleverer with the config from there you could potentially
have a go with bonding your NICs and connecting the 100Mb NIC to the routers
switch such that the gigabit NIC would be the primary NIC, but, in the event
the gigabit switch, or the link to it went down, the 100Mb NIC would become
active and your internet services at least would still be provided...

Alternatively, as you've said, you could get the server doing the
forwarding... as you're only dealing with a T1, it wouldn't be at all
resource intensive and as long as the server isn't struggling with it's
existing workload, it'll likely do forwarding fine too... One thing that you
might want to consider though is that if you set the server up to do
routing, that's one more service that would be lost if the machine went down
for some reason... That might not be an issue though as if it's already the
only DNS server within your network and it provides all externally
accessible services, if it goes down now, you'd loose all services except
for those outbound connections from client machines that are already up or
where the remote address is cached in the local DNS cache... On reasons for
doing that though, being able to get rid of NAT on your internet connected
services could prove handy, especially if you have any remote SIP
connections to/from your asterisk...

d
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos/attachments/20090402/58014969/attachment-0004.html>