[Firehol-support] 4 NIC 2 NAT with firehol

[Carlos Rodrigues]

On Jan 26, 2008 11:39 AM, Redeeman <redeeman at metanurb.dk> wrote:
> i can manage to setup routing for this(i think, but any pointers are
> welcomed), but will firehol pick this up and work if i use snat or
> masquarade?

For the NAT part, you only have to specify that all traffic going out
from each one outside interface gets that interface's address:

snat to "${world1_nat_address}" outface "${world1_iface}"
snat to "${world2_nat_address}" outface "${world2_iface}"

Then you allow traffic to flow between the two pairs of interfaces by
specifing router blocks for them ("lan1 to world1" and "lan2 to
world2" and back). Not specifying "router" blocks from "lan1 to
world2" or "lan2 to world1" means there is no risk of traffic
accidentally going out from the wrong interface.

Now, to create the two routing domains I guess there's two ways to do
it (haven't tested any of them):

1) using netfiilter to alter the routing decision made by the kernel:
in FireHOL you specify some "iptables" commands that match if the
traffic comes from lanX and aren't meant for the firewall itself.
These rules should use the POSTROUTING/mangle table and the ROUTE
target to target the traffic at worldX's default gateway.

2) You use the "ip route" command to set up source/policy based
routing. I don't know if Linux supports multiple routing domains (two
completely independent routing tables, each with its own default
gateway and physical interfaces), but if it does it should be simple
and elegant.

-- 
Carlos Rodrigues