How do I use Linux as a multihomed router/firewall?
Posted on 2005-05-08
I have a situation where I have two independent ADSL connections from the same supplier. Each connection has a different IP addresses and there is a block of IP addresses that are routed over both connections. For example assume:
22.214.171.124 is the 1st ADSL connection with a gateway of 126.96.36.199
188.8.131.52 is the 2nd ADSL connection with a gateway of 184.108.40.206
220.127.116.11 mask 255.255.255.240 is a routed block
10.1.1.0 mask 255.255.255.0 is used for the internal network.
I want to achieve:
1) traffic from the Internet to the 18.104.22.168 address block will be received over either ASDL connection and routed on (fire walled).
2) traffic from the 22.214.171.124 address block to the Internet will be routed out over either of the two ADSL lines, ideally load balanced.
3) traffic from any of the 10.1.1.0 to the Internet will be passed to the Internet using NAT (and the replies sent to the correct place, obviously) over either of the two ADSL lines, ideally load balanced.
4) everything will continue to work if one of the ADSL lines fails
If load balancing isn't easy/possible/practical my next preference would be to use one connection (primarily) for the 10 network & the other for the 81 network. The 81 network does not have to actually exist - it would be done using NAT mappings if that's easier.
What I had in mind was something like:
eth0 connected to the first ADSL line
eth1 connected to the second ADSL line
eth2 connected to the internal network, which will use this as a gateway.
eth3 connected to the 126.96.36.199 network, which will use this as a gateway
or eth2 multi-homed to the 188.8.131.52 network, which will use this as a gateway.
or NAT translation for inbound services from the 184.108.40.206 block to the 10.1.1.1 block
Will this work? I know I'll have to set up iptables to provide the firewall & NAT (though I don't know how to do that yet), but what else will I need to do? If there are two default routes to the Internet (from within the machine) – i.e.
0.0.0.0 mask 0.0.0.0 interface eth0 gateway 220.127.116.11
0.0.0.0 mask 0.0.0.0 interface eth1 gateway 18.104.22.168
will this cause a problem?
I plan to use Centos-4 (AKA RHEL 4).
Are there any other things to watch out for?