need some help configuring two nics (internal/external)

[kdejaeger]

Hello. I don't understand routing so well anymore as I used to several years agoo. My goal is to configure everything through yast, so preserve settings after rebooting.

Two physical nics. Both static ip, default gw, 2 nameservers.

eth0 : connection to database, ssh, internal network
eth1 : accepting connection from internet, http server, this is connected to the dmz

How do I do this with yast, you can only specify one default gateway. If I add two defaults, it doesn't add them to the routing table. I guess this is not a good practise.

Does this mean I have to use eth0's ip as default gateway. And play around with routing? Like here?

Do I have to use masquerading, ip forwarding?

[hcvv]

One thing is for sure: the default gateway is where all the packets go when no other route is specified for them. That is what the word default says. Thus there can only be one (and I should say it should point to where the Internet is, your router).

But to understand better what you are doing/want to do, try to show us a picture of you network(s), because this is a bit vague. I think we are not so much interrested in if the traffic is going to a database, but in systems, connections and network definitions (like: this is my 10.0.0.0/24 network).

[kdejaeger]

Hey hcvv. Tnx for the help. I have absolutely no clue about the whole infrastructure. No bird's eye view .

I was given to configure a static ip on eth0 and eth1.

The eth0 one is finished, this is the internal network something like 129.181.x.x. It has configured two nameservers, a subnetmask, a default gateway and a proxy server. Through this internal network I can access a webapp on 129.181.x.x:8080/ ..., configure the machine.

Now I have to add the configuration of eth1 that should give access to this webapp from the internet. That's the only purpose of eth1, taking the request from the internet 62.x.x.x:8080. It also comes with nameservers, and default gateway and I don't really know how to blend this configuration into yast.

So basically what I want it have all traffic that comes to eth1 to be blocked, except the webapp. And to use the eth0 as it is working allready now, without eth1 being active.

[kdejaeger]

Isn't this what I need : Configuring Multiple Default Routes in Linux « Darien Kindlund’s Blog

But this will not use yast anymore.

[hcvv]

I do not think you should have two default gateways. That would be in defy of the word default.
It is not a network that has a default gateway. A network can have many gateways. It is a system (not a NIC) that can have routes to these gateways. And one of these gateways (of all the networks directly connected to all the NICs of that system) can be defined as the default gateway of that system. All traffic not directed by any of the other routes will be directed to the default router.
It is like a handpost. When none of the arms seem to fullfill your needs, you end up following the handpost "exit".

I hate expressions like "something like'. This is about computers and everything should be EXACT and PRECISE. When you are not the network manager, you must get the precise information from the network manager(s).

You have two NICs both connected to a different network. As far as I can detect from your story:

eth0
network: 129.181.0.0/16 (a B class network, not a private one)
address: not provided by you
gateway(s): there seems to be one (this is NOT the default gateway of that network, it is just a gateway, there may be more, tthat leads to eomewhere outsiede this network, but you tell not where to) and again no address given by you.

eth1
network: 62.0.0.0/8 (are you sure that you have this class A non private network in your LAN?)
address: not provided by you
gateway(s): you mention one gateway (again no address) that seems to lead to the Internet (ISP).

I would be very happy when you give real life addresses, so I we can talk about real things instead of long vague sentences like: the address of the network connected to eth6 where I have a DNS server.../ balblabla". I hope you understand that I try to help you, but that I need exact information.

That would lead to something like:
Internet (ISP) ?.?.?.? <=> router/gateway <=> 68.0.0.0/8 <=> eth1-system-eth0 <=> 128.181.0.0.16 <=> some-gateway <=> ?.?.?.?

There are a lot of ? still. I also doubt about those two address ranges. As they are not private address ranges, they seem to be real Internet addresses. Are you realy connected directly to the Internet with both NICs, without ISP?

[hcvv]

I browsed through the article. It uses iproute2 and evn changes the kernel. That is definitly not done using YaST. Also the openSUSE kernel might allready have this compiled in. I do not know.

You can use iproute2 for a search on this forums. I remember a thread about it not long ago.

In any case, you should try to learn some basics about networking else you will make mistakes that could be avoided and you will also understand better the meaning of the language you speak to others on this subject. The article e.g. states in the first paragraph that there can only be one default gateway on a system.

[kdejaeger]

Hello again,

Today I found out a little bit more about the other network components. Someone came up with another approach. We will only use the interface towards the dmz. And then we will configure the cisco firewall how the access to the machine happens from internal/external network.

So the linux setup will remain with one interface. This will simplify it to some routing rules. I think I can handle it from here .

[Akoellh]

Quote:

Originally Posted by hcvv

I browsed through the article. It uses iproute2 and evn changes the kernel. That is definitly not done using YaST. Also the openSUSE kernel might allready have this compiled in. I do not know.

Code:

zgrep -E 'ADVANCED_ROUTER|IP_FIB_HASH' /proc/config.gz
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
CONFIG_IP_FIB_HASH=y

[hcvv]

I guess that when there are three =y there this means it is compiled in

But the OP refrains from using it. Again a lot of time for a lot of people to attain nothing

Edit: Do not worry, I learned also from it.