From: Sandro Dentella <sandro@e-den.it>
To: lartc@vger.kernel.org
Subject: [LARTC] 2 DSL link, DNAT & SNAT
Date: Thu, 30 Sep 2004 09:54:36 +0000 [thread overview]
Message-ID: <20040930095436.GA29221@bluff> (raw)
Sorry for the long descritpion of the problem, I'd like to know If I
misunderstand something or if I meet an intrinsic limit of my setup.
217.58.51.162 HDSL eth1 - SRV_XP: 192.168.254.10
eth0: 192.168.254.1 -----+------------------+-------
81.121.243.250 ADSL eth3 -
I want to allow incoming pptp request (port 1723) to be forwarded to
srv_xp (.10) both coming from ADSL & HDSL. From HDSL everything works
(note rule with prio 38) ADSL does not. From ADSL I can reach SRV_XP only
if I eliminate rule 38, but at that moment I cannot enter from HDSL...
My setup
+ ip tables hdsl & adsl for the 2 dsl lines,
0: from all lookup local
30: from all fwmark 3 lookup hdsl
38: from 192.168.254.10 lookup hdsl <<= NOTE this
40: from 217.58.51.160/27 lookup hdsl
41: from 81.121.243.248/30 lookup adsl
52: from all iif eth0 lookup adsl
53: from all iif eth2 lookup adsl
32766: from all lookup main
32767: from all lookup default
+ hdsl table has default gw to HDSL line
+ adsl table has default gw to ADSL line
+ DNAT & SNAT occurring from both dsl lines
Chain PREROUTING
DNAT tcp 0.0.0.0/0 81.121.243.250 tcp dpt:1723 to:192.168.254.10
DNAT tcp 0.0.0.0/0 217.58.51.162 tcp dpt:1723 to:192.168.254.10
Chain POSTROUTING
SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:217.58.51.162
SNAT all -- * eth3 0.0.0.0/0 0.0.0.0/0 to:81.121.243.250
SNAT tcp -- * eth0 0.0.0.0/0 192.168.254.10 tcp dpt:1723 to:192.168.254.1
[mangling occurs only on ports 3085, 5405, 5421 so that rule 30 (fwmark)
does nothing here. ]
I guess the problem is the routing table of the packet coming back from
SRV_XP: the ack packet does take a routing table different from the 1^
incoming packet.
I added SNAT thinking to avoid asymmetric routing (income via adsl, out
via hdsl), but I'm not sure it works this way. What happens to an ACK
package? does the kernel use the routing table it arrived with or
recompute it after it realize it is RELATED to a connection already open?
Is this a question for this list or for netfilter list? ;-)
Thanks for any hint for a clean solution.
sandro
*:-)
--
Sandro Dentella *:-)
e-mail: sandro@e-den.it
http://www.tksql.org TkSQL Home page - My GPL work
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next reply other threads:[~2004-09-30 9:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-30 9:54 Sandro Dentella [this message]
2004-09-30 13:59 ` [LARTC] 2 DSL link, DNAT & SNAT marba
2004-09-30 14:13 ` David Hough
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040930095436.GA29221@bluff \
--to=sandro@e-den.it \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.