SNAT/MASQUERADE with two uplink connections
From: Marek Zachara (marek-no_at_sp-am-telperion.pl)
Date: 12/27/04
- Next message: Moe Trin: "Re: trace routing question"
- Previous message: Robert: "Re: iptables -L"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Mon, 27 Dec 2004 21:01:40 +0100
Hi all,
I've been messing around with different configs to get it working, but to no
avail.
I have a linux box (lets call it RTR) with 3 interfaces:
eth0 (192.168.x.x) is the internal LAN
eth1 and eth2 are connected each to a dsl modem
i want to direct all traffic to specified ports (21,22,25,80, etc.) through
the eth1 interface, while feeding the rest of the traffic through the link
at eth2.
from the machine itself, i can use any of the interfaces to make a
connection e.g:
ssh -b 1.1.1.2 somehost
and
ssh -b 2.2.2.2 somehost
both work, on the remote host i can see the traffic goes through the
specific interface.
Unfortunately, that does not work for machines in local LAN connected to
eth0 masqeraded by the RTR. Actually all the traffic that leaves by the
interface with default gateway configured works ok, but the packets that
are routed to the other intarface when return are not de-masqueraded(?)
properly.
In other words:
assume eth1 has IPs: 1.1.1.0/29 with 1.1.1.1 being the DSL modem address
and 1.1.1.2 being ip assigned to eth1
assume eth2 has IPs: 2.2.2.0/29 with 2.2.2.1 being its DSL modem address
and 2.2.2.2 being ip assigned to eth1assume 1.1.1.1 (eth1) is configured as
default gateway
packet that goes from 192.168.10.1 to the 5.0.0.0 gets source address
translated at RTR to 1.1.1.2 and when a reply arrives at RTR eth1
interface, its destination is changed to 192.168.10.1 - so everything works
fine.
now, if i direct a packet (by using mark target at iptables chain and ip
rules) to send all traffic to port 2222 by eth2, suddenly the de-masquing
only half-works (which means it doesn't):
packet that goes from 192.168.10.1 to the 5.0.0.0 gets source address
translated at RTR to 2.2.2.2 (which is ok) a reply arrives at RTR eth2 with
the destination 2.2.2.2 - but then its somewhere lost in the kernel. I have
iptables logging the fate of this replay packet, and it is logged at table
mangle/PREROUTING (obvious) but then it does not arrive on neither
filter/FORWARD nor filter/INPUT nor even nat/PREROUTING chains
here is a part of the setup:
cerber:~/net/config_scripts# ip rule show
0: from all lookup local
4: from all to 192.168.0.0/16 lookup main
198: from all fwmark 0x100 lookup secondaryDSL
241: from 80.55.122.232/29 lookup primaryDSL
242: from 83.17.113.216/29 lookup secondaryDSL
32766: from all lookup main
32767: from all lookup default
cerber:~/net/config_scripts# ip route show table primaryDSL
1.1.1.0/29 dev eth1 proto kernel scope link src 1.1.1.2
default via 1.1.1.1 dev eth1
cerber:~/net/config_scripts# ip route show table secondaryDSL
2.2.2.0/29 dev eth2 proto kernel scope link src 2.2.2.2
default via 2.2.2.1 dev eth2
cerber:~/net/config_scripts# ip route show table main
1.1.1.0/29 dev eth1 proto kernel scope link src 1.1.1.2
2.2.2.0/29 dev eth2 proto kernel scope link src 2.2.2.2
192.168.0.0/16 dev eth0 proto kernel scope link src 192.168.192.1
default via 1.1.1.1 dev eth1 proto static src 1.1.1.2
kernel 2.4.28 with a few P-O-M addons and routing patches of Julian
Anastasov (rtmasq-2.4.20-2.diff and routes-2.4.27-9.diff)
any help would be greatly appreciated :-)
Marek
- Next message: Moe Trin: "Re: trace routing question"
- Previous message: Robert: "Re: iptables -L"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
