[CentOS] Not firewall, but what?
John R Pierce
pierce at hogranch.com
Mon May 10 18:15:50 UTC 2010
Jussi Hirvi wrote:
> On 10.5.2010 15.48, Les Mikesell wrote:
>
>> How do you handle the default route on the 'connect to both' guests? Normally
>> you only want one default gateway and it should be the same one where the
>> connections are coming in. Otherwise you have to do some very tricky things to
>> make return packets go back the same path they came in, although asymmetrical
>> routes are supposed to work if you don't have NAT or stateful firewalls in the way.
>>
>
> On that dual-network xen-guest, I don't handle the routing in any
> special way. Now only one nw connection works (because of these routing
> problems), but if they would both work, packets still might leave from
> only one interface (default route). I don't see why this would be a
> problem, though, even if it may not be very elegant.
>
A) it could saturate the outbound on one link while leaving the other empty
B) the ISP on link 1 might not forwarding outbound packets that are
'from' an IP on a different subnet
NAT'ing two different blocks is semi-ugly, and requires diving into `ip
rule add` and `ip route add`... something like...
[after setting up network 1 the 'normal' way, we add these rules for
network 2...]
NET2=xxx.yyy.zzz.www/26
NET2GWY=xxx.yyy.zzz.wwx
ip rule add from $NET2 table 200
ip route add default via $NET2GWY dev eth1 table 200
ip route flush cache
so... any packet thats 'from' the subnet $NET2 is tagged to use ip
routing table '200' (quite arbitrary), and in turn route table 200
specifies a different default gateway.
I dunno any better way to do this. Also, if you have DMZ hosts you
specifically want to bind to the $NET2, you can add source rules for
their NAT IP to force them to use the 2nd interface.
More information about the CentOS
mailing list