2 ISPs again

2 ISPs again

[Andreas Grabner]

Hi,
i try to get the following work for days now and realy need some hints.
My situaution:
I have 2 independent links to the internet. I would like to get
connections from the internet to an internal host work, regardless to
which of my external IP.
I tried it by marking packets coming in EXTIF1 and set up a own routing
table for marked packets. But it seems the routing does not work bacause
teh packets disappear between PREROUTING and FORWARD.
Please help!

Some config lines:
# ip rule ls
0:      from all lookup local
32765:  from all fwmark        1 lookup post.out
32766:  from all lookup main
32767:  from all lookup default

# ip ro sh tab post.out
192.168.100.0/24 dev eth0  scope link  src 192.168.100.3
default via EXTIP2 dev eth2

# iptables -L -nv -t mangle
1624  113K MARK       all  --  eth2   *       0.0.0.0/0           
0.0.0.0/0           MARK set 0x1
Thanks for any Tips, Documentation links ...

Andreas Grabner

2 ISPs again

[Andreas Grabner]

Hi,
i try to get the following work for days now and realy need some hints.
My situaution:
I have 2 independent links to the internet. I would like to get
connections from the internet to an internal host work, regardless to
which of my external IP.
I tried it by marking packets coming in EXTIF1 and set up a own routing
table for marked packets. But it seems the routing does not work bacause
teh packets disappear between PREROUTING and FORWARD.
Please help!

Some config lines:
# ip rule ls
0:      from all lookup local
32765:  from all fwmark        1 lookup post.out
32766:  from all lookup main
32767:  from all lookup default

# ip ro sh tab post.out
192.168.100.0/24 dev eth0  scope link  src 192.168.100.3
default via EXTIP2 dev eth2

# iptables -L -nv -t mangle
1624  113K MARK       all  --  eth2   *       0.0.0.0/0
0.0.0.0/0           MARK set 0x1
Thanks for any Tips, Documentation links ...

Andreas Grabner

RE: 2 ISPs again

[Daniel Chemko]

Andreas Grabner wrote:
> Hi,
> i try to get the following work for days now and realy need some
> hints. My situaution:
> I have 2 independent links to the internet. I would like to get
> connections from the internet to an internal host work, regardless to
> which of my external IP.
> I tried it by marking packets coming in EXTIF1 and set up a own
> routing table for marked packets. But it seems the routing does not
> work bacause teh packets disappear between PREROUTING and FORWARD.
> Please help!

If your own IP's on the firewall aren't bound to the network, you'll
have to disable rp_filtering. echo "0" >
/proc/sys/net/ipv4/eth_whatever/rp_filter

You'll also want to make sure outgoing packets are getting natted
correctly (if you're natting). Routing the reply usually requires
connmark to work properly.

RE: 2 ISPs again

[Andreas Grabner]

Thanks a lot for your reply!!!

> If your own IP's on the firewall aren't bound to the network, you'll
What does                                 ^^^^^^^^^^^^^^^^^^^^^ this mean?
> have to disable rp_filtering. echo "0" >
> /proc/sys/net/ipv4/eth_whatever/rp_filter
no i will try


> You'll also want to make sure outgoing packets are getting natted
> correctly (if you're natting).
Yes i am natting


Andreas grabner

Re: 2 ISPs again

[Jason Opperisano]

On Fri, 2004-12-10 at 14:03, Andreas Grabner wrote:
> Hi,
> i try to get the following work for days now and realy need some hints.
> My situaution:
> I have 2 independent links to the internet. I would like to get
> connections from the internet to an internal host work, regardless to
> which of my external IP.
> I tried it by marking packets coming in EXTIF1 and set up a own routing
> table for marked packets. But it seems the routing does not work bacause
> teh packets disappear between PREROUTING and FORWARD.
> Please help!
> 
> Some config lines:
> # ip rule ls
> 0:      from all lookup local
> 32765:  from all fwmark        1 lookup post.out
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> # ip ro sh tab post.out
> 192.168.100.0/24 dev eth0  scope link  src 192.168.100.3
> default via EXTIP2 dev eth2
> 
> # iptables -L -nv -t mangle
> 1624  113K MARK       all  --  eth2   *       0.0.0.0/0
> 0.0.0.0/0           MARK set 0x1
> Thanks for any Tips, Documentation links ...
> 
> Andreas Grabner

the trick is to make sure that replies to requests that come in from
ISP1 go back out ISP1.  dchemko@ seems to be the "connmark master" when
it comes to this stuff--have a look at:

  http://marc.theaimsgroup.com/?l=netfilter&m=108094979204392&w=2

for a very thorough example.

-j 

--
"My cat's breath smells like cat food."
	--The Simpsons

RE: 2 ISPs again

[Daniel Chemko]

Andreas Grabner wrote:
> Thanks a lot for your reply!!!
> 
>> If your own IP's on the firewall aren't bound to the network, you'll
> What does                                 ^^^^^^^^^^^^^^^^^^^^^ this
> mean? 

Think about in the terms of promisc vs. non-promisc modes in tcpdump.

If the kernel doesn't know what IP addresses to properly receive data
on, the kernel will either let everything in or silently throw them
away. RP_filter is the mechanism used to protect routing integrity.
Since there is no IP, or an incorrect IP associated with the incoming
packet, it gets tossed. If you turn off the rp_filter, you're saying
that you want to receive all data incoming to the interface even if it
shouldn't be there.

EG: 

INET - eth1 - FW - eth0 -INTERNAL (192.168.1.0/24)

If you receive an inbound connection request from the internet from the
source address 192.168.1.2, the rp_filter will drop the packet flat.
There may be issues with having your two internet interfaces. Maybe
they're expecting traffic on one another.  

Question:

1. Are either inbound connections working, or do they both die? 
2. Do you see your DNAT counter increment when the packet comes in?
3. Can you confirm that the destination in the DNAT is correct from the
firewall? Make sure that the route on the firewall can properly get to
the target machine.

Re: 2 ISPs again

[Andreas Grabner]

Hi

On Fri, Dec 10, 2004 at 02:20:08PM -0500, Jason Opperisano wrote:
> the trick is to make sure that replies to requests that come in from
> ISP1 go back out ISP1.  dchemko@ seems to be the "connmark master"
> when
> it comes to this stuff--have a look at:
>
>   http://marc.theaimsgroup.com/?l=netfilter&m=108094979204392&w=2

At 23:12 i got it to work with this excelent answer. And it's work for
houres now.

Thanks a lot to Daniel and Jason.

One more thing would be interesting for me:
I have turned of rp_filter is this realy needed? I have not seen (with
wine-red Eyes) any packest comming in the "wrong" interface.

best regards
Andreas Grabner

Re: 2 ISPs again

[Jason Opperisano]

On Sat, 2004-12-11 at 08:06, Andreas Grabner wrote:
> Hi
> 
> On Fri, Dec 10, 2004 at 02:20:08PM -0500, Jason Opperisano wrote:
> > the trick is to make sure that replies to requests that come in from
> > ISP1 go back out ISP1.  dchemko@ seems to be the "connmark master"
> > when
> > it comes to this stuff--have a look at:
> >
> >   http://marc.theaimsgroup.com/?l=netfilter&m=108094979204392&w=2
> 
> At 23:12 i got it to work with this excelent answer. And it's work for
> houres now.
> 
> Thanks a lot to Daniel and Jason.
> 
> One more thing would be interesting for me:
> I have turned of rp_filter is this realy needed? I have not seen (with
> wine-red Eyes) any packest comming in the "wrong" interface.

you should be OK turning rp_filter back on.  to be safe--also turn on
"log_martians" so that you'll have some indication that rp_filter is
dropping packets in your system log.

-j

--
"Beer. Now there's a temporary solution."
	--The Simpsons