Greetings experts,
I've configured a nice little linux firewall machine here. It's got eth1
for the internal network (10.0.0.*), and eth2
for the external network (65.130.27.69/27). eth0
is not currently being used. (I'm using fake IP addresses, by the way. I don't know who has these.)
I've got all the iptables stuff done and set properly with DNAT, it all works just fine and I've updated the /etc/sysconfig/iptables
. All good.
Here's where it gets fun. We've got a bunch of IPs here, and another server wants to receive port 80 traffic, but on a different IP. I added the rule to iptables, then added the secondary IP to eth2
like so:
# ip addr add 65.130.27.70/27 dev eth2 broadcast 65.130.27.79
And that works:
# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
link/ether 08:00:09:dc:f4:c1 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:c9:03:ac:9b brd ff:ff:ff:ff:ff:ff
inet 10.0.0.0/8 brd 10.255.255.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:c9:73:7f:97 brd ff:ff:ff:ff:ff:ff
inet 65.130.27.69/28 brd 65.130.27.79 scope global eth2
inet 65.130.27.70/28 brd 65.130.27.79 scope global secondary eth2
Now device eth2
listens to two IP addresses, .69 and .70. All good, works just fine. The firewall routes traffic as it should, the internal server receives traffic as it should.
Then, one day, for unknown reasons, the firewall machine was rebooted. It had been a few years since I originally set it up, so I had completely forgotten about this secondary IP address. Later, people started complaining that such-and-such service wasn't working. It wasn't working because the firewall machine came back up without the secondary IP address, the .70
one above. So I, once again, manually added it with the above magic command.
Here's the question: How do I set this machine to automatically add the secondary IP address upon boot-up?
Some solutions I've already come up with:
I've already added this magic command to /etc/rc.d/rc.local
:
# ip addr add 65.130.27.70/27 dev eth2 broadcast 65.130.27.79
and I'm pretty sure that it'll work if (or when) it's ever rebooted again. However, I ran across these docs:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-networkscripts-interfaces.html
By following the example near the bottom with a clone interface, I could make another file, /etc/sysconfig/network-scripts/ifcfg-eth2-secondary
and put one line in it:
IPADDR=65.130.27.70
Would this replace the existing IP address on this device, or add another one? Is this method recommended over the one above?
Why don't I try these myself? Until I get another firewall machine set up to play with, I'm not going to mess around with the production machine.
Best Answer
Normally what you would do is create a alias so you would have one IP bound to eth2 and one bound to eth2:1
You would configure your startup scripts as such
/etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
IPADDR=65.130.27.69
ONBOOT=yes
BOOTPROTO=static
BROADCAST= ... etc, etc.
/etc/sysconfig/network-scripts/ifcfg-eth2:1
DEVICE=eth2:1
IPADDR=65.130.27.70
ONBOOT=yes
BOOTPROTO=static
BROADCAST= ... etc, etc.