Lunarhotel.co.uk

The two internet connections are maintained by two Netgear DG834G, which considering they're aimed at the home market are brilliant little boxes and excellent value for money. Ive never had to reboot one (because it crashed or whatever) and they just keep going. Netgear even issued firmware which allowed the creation of up to five IPSEC vpns! and all for just shy of £60! How good is that?

The router is always addressed .2 so on the admin network its 192.168.2.2, on the repro its 192.168.1.2 and so on. for the internet access the routers are 192.168.4.1 (connection A) and 192.168.5.1 (connection B)

So on the router I installed Fedora core 5. Now I know there are better Linux distro's out there for doing work like routing, but Im still learning linux and like the comfort factor having a pretty look GUI i can fall back on should I get annoyed using vi all the time! Also, it comes with most of the stuff needed pre-installed. Anything that isnt can normally be installed with

yum -y install <application name>

Which (IMHO) makes thing infinitely easier.

 

In order to get OpenSwan working with KLIPS I had to recompile to kernel, but I wont cover that here. Its more part of setting up Openswan which is (or will be) covered in another article.

So broadly, how does it all work? Well, basically, using a combination of iptables (not only to act as the firewall, but also mark certain packets), multiple routing tables, and ip routing rules, we can achieve a wide variety of "effects". For this configuration, the following occurrs when an outbound request is made:

1. request is recieved by the router
2. iptables either lets it through or doesnt, if it does it checks to see what type of traffic it is
3. if the traffic type is something we want going out via internet connection b we tag it
4. the ip rules are processed, which includes a rule to say that any tagged traffic should use routing table b
5. routing table b sends the packet out through internet connection b

Keep in mind that we must still conform to the "one default gateway" rule, and any traffic that needs to be routed over the other internet connection needs to explicitly tagged to do so. Or put another way, unless its specified otherwise, the traffic will always use the default connection. With this in mind, we setup the router to have a default gateway (in my case I set it to internet connection A)

So, lets get started. Set up the router with a default gateway of INTERNET CONNECTION A, and the relavent dns servers. Id try getting a web page up (you see that GUI does come in usefull) or wget-ing a page to verify you have a connection.

Next, we need to configure IPTABLES to act as a simple router. For that I set up a simple sh script :

IPTABLES="/sbin/iptables"
INTERNETIFA="eth2" # internet connection a
INTERNETIFB="eth1" # internet connection b
ADMINIF="eth3" # internal network
REPROIF="eth0"
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain
$IPTABLES --table nat --append POSTROUTING --out-interface $INTERNETIFA -d ! $ADMINRANGE -j MASQUERADE
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
$IPTABLES -A INPUT -i $INTERNETIFA -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $ INTERNETIFB -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $ADMINIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $REPROIF -m state --state ESTABLISHED,RELATED -j ACCEPT

Obviously if you're just dealing with one internal subnet range, you dont need the last line. Also, if you copy this script, make sure you change the value of the ADMINIF and/or REPROIF variables accordingly

Id suggest putting that into a file called router.sh. (dont forget you need to chmod 755 router.sh, and run it by typing ./router.sh) If we keep the various aspects of the routing separate, we can tweak bits of it without interfering with whats working already. In the end I combined all of commands needed into one script. Which we can look at later.