From: Jason Opperisano <opie@817west.com>
To: netfilter@lists.netfilter.org
Subject: Re: Routing and DNAT redux
Date: Fri, 10 Jun 2005 13:55:54 -0400 [thread overview]
Message-ID: <20050610175554.GA6127@bender.817west.com> (raw)
In-Reply-To: <200506091000.21220.jsimmons@goblin.punk.net>
On Thu, Jun 09, 2005 at 10:00:21AM -0700, Jeff Simmons wrote:
> The actual challenge is to have two external interfaces, IF_1 and IF_2, each
> with their own address and both DNATed to an internal server. Packets coming
> into IF_1 should have their replies routed out IF_1 while packets coming in
> on IF_2 should have their replies routed out IF_2.
>
> The ONLY place this information (which interface a particular packet stream
> came in on) is available is in the NAT state table. Pre NAT, all routing has
> to go on is the source server destination remote. Post NAT routing now sees
> source IF_ (1 or 2) destination remote, and the packet can now be properly
> routed out the correct interface.
>
> Which is why it's important whether NAT takes place pre or post routing on the
> reply packets from a DNATed destination.
the way i attack this problem (ensuring a DNAT-ed connection gets routed
back out the same link it came in on) is with CONNMARK:
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i $EXT_IF_A -d $PUB_IP_A \
-m mark --mark 0 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i $EXT_IF_B -d $PUB_IP_B \
-m mark --mark 0 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A PREROUTING -i $EXT_IF_A -d $PUB_IP_A \
-j DNAT --to-destination $PRIV_SRV
iptables -t nat -A PREROUTING -i $EXT_IF_B -d $PUB_IP_B \
-j DNAT --to-destination $PRIV_SRV
ip route add default via $ISP_A_GW dev $EXT_IF_A table ISPA
ip route add default via $ISP_B_GW dev $EXT_IF_B table ISPB
ip rule add fwmark 1 table ISPA
ip rule add fwmark 2 table ISPB
this isn't 100% step-by-step, but should give you the foundation.
i have posted truly step-by-step examples of this in the past--search
the archives.
hope this gets you on the right track.
-j
--
"Lois: I'm sorry that Stewie ruined your books. Here, I brought
you some of Peter's.
Brian: "Mr. T" by Mr. T. "T and Me" by George Poppard. "For The Last
Time, I'm Not Mr. T" by Ving Rhames."
--Family Guy
next prev parent reply other threads:[~2005-06-10 17:55 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-09 0:54 Routing and DNAT redux Jeff Simmons
2005-06-09 16:22 ` Matin Tamizi
2005-06-09 17:00 ` Jeff Simmons
2005-06-10 17:55 ` Jason Opperisano [this message]
2005-06-10 18:05 ` Jeff Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050610175554.GA6127@bender.817west.com \
--to=opie@817west.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.