[CentOS] Not firewall, but what?

Mon May 10 18:15:50 UTC 2010
John R Pierce <pierce at hogranch.com>

Jussi Hirvi wrote:
> On 10.5.2010 15.48, Les Mikesell wrote:
>   
>> How do you handle the default route on the 'connect to both' guests?  Normally
>> you only want one default gateway and it should be the same one where the
>> connections are coming in.  Otherwise you have to do some very tricky things to
>> make return packets go back the same path they came in, although asymmetrical
>> routes are supposed to work if you don't have NAT or stateful firewalls in the way.
>>     
>
> On that dual-network xen-guest, I don't handle the routing in any 
> special way. Now only one nw connection works (because of these routing 
> problems), but if they would both work, packets still might leave from 
> only one interface (default route). I don't see why this would be a 
> problem, though, even if it may not be very elegant.
>   

A) it could saturate the outbound on one link while leaving the other empty

B) the ISP on link 1 might not forwarding outbound packets that are 
'from' an IP on a different subnet


NAT'ing two different blocks is semi-ugly, and requires diving into `ip 
rule add` and `ip route add`... something like...

[after setting up network 1 the 'normal' way, we add these rules for 
network 2...]

    NET2=xxx.yyy.zzz.www/26
    NET2GWY=xxx.yyy.zzz.wwx

    ip rule add from $NET2 table 200
    ip route add default via $NET2GWY dev eth1 table 200
    ip route flush cache

so... any packet thats 'from' the subnet $NET2 is tagged to use ip 
routing table '200' (quite arbitrary), and in turn route table 200 
specifies a different default gateway.


I dunno any better way to do this.   Also, if you have DMZ hosts you 
specifically want to bind to the $NET2, you can add source rules for 
their NAT IP to force them to use the 2nd interface.