Ever on and on

I’m running multi-homed while I exercise FiOS and make sure everything works. It took a few tricks to make everything work. My Linux box actually has three Ethernet NICs:

• eth0, the onboard 100M NIC, for FiOS
• eth1, a 10M NIC, for RCN
• eth2, a 1G NIC, for the internal LAN

The first thing to do is adjust your firewall. I run iptables, with very few dependencies on the external IP address. I did have to add some rules to the FORWARD and INPUT chains for the FiOS NIC - but only for network 192.168.0.0/16, because of the d-link firewalling. Things will get more interesting if/when the d-link comes out of the network, because I’ve seen VZ allocate IP addresses from both net 70 and net 71. I’ll probably change things around so the network-specific rules get changed dynamically, as the IP address changes.

The next thing you have to do is set up per-interface route tables. If you don’t do this then only one external IP will actually work, because a packet may be received on NIC A, but its reply be routed out NIC B. This especially doesn’t work in a NATted environment! A good reference to get you started is an article in Linux Journal.

The third thing is to make sure that your various services don’t rely on specific IP addresses. DNS (BIND) and Apache configuration are good places for this dependency to sneak in. I’ve been around this block before, so I didn’t have those problems. I did get bitten by my CUPS configuration, because it “knew” that eth1 was the LAN interface - when the LAN moved to eth2, CUPSd was broadcasting its notifications on the wrong network.

Email is another challenge. I’m running my outbound email server (postfix) bound to the RCN IP address for the time being. (The dynamic Verizon IP addresses are running into SPAM filters around the network.) I have worked out how to feed email from my domain into Verizon’s servers. You need to a) turn on SMTP AUTH, and b) pass your Verizon username & password in the SMTP AUTH transaction. In postfix this looks like:

1. /etc/postfix/main.cf

   smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/saslpass

2. /etc/postfix/saslpass

   # remote user:password
outgoing.verizon.net user@verizon.net:password

3. create /etc/postfix/saslpass.db with:

   % sudo postmap /etc/postfix/saslpass

4. Last thing: I noted above that my outgoing email is all coming off the RCN IP address. This broke the connection to amavis, the Virus/Spam scanner. Previously amavis was set up to only accept connections from the loopback (127.0.0.1) IP address, now it needs to accept the RCN IP address as well:

   in /etc/amavisd.conf

   @inet_acl = qw(207.172.210.134 127.0.0.1 [::1]);

This entry was posted on Thursday, October 20th, 2005 at 11:05 pm and is filed under Tech topics. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.