All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] multipath route inbound port forward
@ 2004-03-10 10:15 Ming-Ching Tiew
  2004-03-10 15:34 ` Raphael Benedet
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Ming-Ching Tiew @ 2004-03-10 10:15 UTC (permalink / raw)
  To: lartc


I have two external IPs ( OUTSIDE_IP and OUTSIDE_IP2 ) and
I have already set them up using multipath routing and the outbound
nat traffic seems to be working fine, there is certain amount
of traffic split between the two external links.

But when checking the inbound port forwarding, only the port forwarding
on the first link is working, the in bound to the second is not working.

These are the port forwarding rules I make :-

For the first link :-

iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j
DNAT --to ${SERVER}:80
iptables -A FORWARD -p tcp -d ${SERVER} --dport 801  -o ${INSIDE_DEVICE} -j
ACCEPT

For the second link, it is identical :-

iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP2} --dport 80 -j
DNAT --to ${SERVER}:80
iptables -A FORWARD -p tcp -d ${SERVER} --dport 801  -o ${INSIDE_DEVICE} -j
ACCEPT

The second 'iptables -A FORWARD ...... ' is a repeat but it is done anyway
( which I
believe should be no hard ).

A check on the 'iptables -n -L' and 'iptables -t nat -n -L' revealed that
the setting were indeed exist.

Anything which i missed out which causes the inbound port forward only
working
on the first link but not on the second link ?





_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [LARTC] multipath route inbound port forward
  2004-03-10 10:15 [LARTC] multipath route inbound port forward Ming-Ching Tiew
@ 2004-03-10 15:34 ` Raphael Benedet
  2004-03-11  1:54 ` Ming-Ching Tiew
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Raphael Benedet @ 2004-03-10 15:34 UTC (permalink / raw)
  To: lartc

Hi,

I had the same problem some time ago, I couldn't have DNAT working onmy 
second interface. Could you please post all your routing tables?
And also, what are your connections? Both PPP? PPPoE? ...

Best Regards,

Raphael Benedet
3D Artists - raph.com
"bringing art into the third dimension"

Ming-Ching Tiew wrote:
> I have two external IPs ( OUTSIDE_IP and OUTSIDE_IP2 ) and
> I have already set them up using multipath routing and the outbound
> nat traffic seems to be working fine, there is certain amount
> of traffic split between the two external links.
> 
> But when checking the inbound port forwarding, only the port forwarding
> on the first link is working, the in bound to the second is not working.
> 
> These are the port forwarding rules I make :-
> 
> For the first link :-
> 
> iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j
> DNAT --to ${SERVER}:80
> iptables -A FORWARD -p tcp -d ${SERVER} --dport 801  -o ${INSIDE_DEVICE} -j
> ACCEPT
> 
> For the second link, it is identical :-
> 
> iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP2} --dport 80 -j
> DNAT --to ${SERVER}:80
> iptables -A FORWARD -p tcp -d ${SERVER} --dport 801  -o ${INSIDE_DEVICE} -j
> ACCEPT
> 
> The second 'iptables -A FORWARD ...... ' is a repeat but it is done anyway
> ( which I
> believe should be no hard ).
> 
> A check on the 'iptables -n -L' and 'iptables -t nat -n -L' revealed that
> the setting were indeed exist.
> 
> Anything which i missed out which causes the inbound port forward only
> working
> on the first link but not on the second link ?
> 
> 
> 
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [LARTC] multipath route inbound port forward
  2004-03-10 10:15 [LARTC] multipath route inbound port forward Ming-Ching Tiew
  2004-03-10 15:34 ` Raphael Benedet
@ 2004-03-11  1:54 ` Ming-Ching Tiew
  2004-03-12  1:34 ` Ming-Ching Tiew
  2004-03-12  1:52 ` Daniel Chemko
  3 siblings, 0 replies; 5+ messages in thread
From: Ming-Ching Tiew @ 2004-03-11  1:54 UTC (permalink / raw)
  To: lartc



> Hi,
> 
> I had the same problem some time ago, I couldn't have DNAT working onmy 
> second interface. Could you please post all your routing tables?
> And also, what are your connections? Both PPP? PPPoE? ...
> 

OK, I am using Static IP for both links. Here is my routing table :-
( I use symbolic name here for easier reading .... )

# ip rule add from ${FIST_LINK_IP}  table first
# ip rule add from ${SECOND_LINK_IP} table second

# ip route list table first
FIRST_LINK_NET dev eth1  scope link 
LAN_LINK_NET dev eth0  scope link 
SECOND_LINK_NET dev eth2  scope link 
127.0.0.0/8 dev lo  scope link 
default via FIRST_LINK_GATEWAY dev eth1 

# ip route list table second
FIRST_LINK_NET dev eth1  scope link 
LAN_LINK_NET dev eth0  scope link 
SECOND_LINK_NET dev eth2  scope link 
127.0.0.0/8 dev lo  scope link 
default via SECOND_LINK_GATEWAY dev eth2

# ip route list
FIRST_LINK_NET dev eth1  scope link  src FIRST_LINK_IP 
SECOND_LINK_NET dev eth2  scope link  src SECOND_LINK_IP 
LAN_LINK_NET dev eth0  proto kernel  scope link  src LAN_LINK_IP 
FIST_LINK_NET/24 dev eth1  proto kernel  scope link  src FIRST_LINK_IP 
SECOND_LINK_NET/24 dev eth2  proto kernel  scope link  src SECOND_LINK_IP 
default 
 nexthop via FIRST_LINK_GATEWAY  dev eth1 weight 4
 nexthop via SECOND_LINK_GATEWAY  dev eth2 weight 1







_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: [LARTC] multipath route inbound port forward
  2004-03-10 10:15 [LARTC] multipath route inbound port forward Ming-Ching Tiew
  2004-03-10 15:34 ` Raphael Benedet
  2004-03-11  1:54 ` Ming-Ching Tiew
@ 2004-03-12  1:34 ` Ming-Ching Tiew
  2004-03-12  1:52 ` Daniel Chemko
  3 siblings, 0 replies; 5+ messages in thread
From: Ming-Ching Tiew @ 2004-03-12  1:34 UTC (permalink / raw)
  To: lartc


> > Hi,
> >
> > I had the same problem some time ago, I couldn't have DNAT working onmy
> > second interface. Could you please post all your routing tables?
> > And also, what are your connections? Both PPP? PPPoE? ...
> >
>
> OK, I am using Static IP for both links. Here is my routing table :-
> ( I use symbolic name here for easier reading .... )

[ snip ]

I am beginning to think multipath inbound port forwarding
is not as simple as constructiong these iptables rules :-

> iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP} --dport 80 -j
> DNAT --to ${SERVER}:80
> iptables -A FORWARD -p tcp -d ${SERVER} --dport 801  -o ${INSIDE_DEVICE}
> -j ACCEPT

> iptables -A PREROUTING -t nat -p tcp -d ${OUTSIDE_IP2} --dport 80 -j
> DNAT --to ${SERVER}:80
> iptables -A FORWARD -p tcp -d ${SERVER} --dport 801  -o
${INSIDE_DEVICE} -j
> ACCEPT
>

Maybe I should ask has anybody gotten this to work before ?

The reason I am suspecting this not working is this :-

The inbound port forwarding rules are fine as far as receiving the
connection, but when it replies will still take the whatever routing path
defined by the system. If the system is doing loading balancing, chances
is that it will be going via some other interfaces, thereby causing
connection problem. So my question is if there is a way to ask the
firewall to reply via the interface where it is coming in from ?









_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
* RE: [LARTC] multipath route inbound port forward
  2004-03-10 10:15 [LARTC] multipath route inbound port forward Ming-Ching Tiew
                   ` (2 preceding siblings ...)
  2004-03-12  1:34 ` Ming-Ching Tiew
@ 2004-03-12  1:52 ` Daniel Chemko
  3 siblings, 0 replies; 5+ messages in thread
From: Daniel Chemko @ 2004-03-12  1:52 UTC (permalink / raw)
  To: lartc


> The inbound port forwarding rules are fine as far as receiving the 
> connection, but when it replies will still take the whatever routing 
> path defined by the system. If the system is doing loading balancing, 
> chances is that it will be going via some other interfaces, thereby 
> causing connection problem. So my question is if there is a way to ask

> the firewall to reply via the interface where it is coming in
> from ?      

YES! I figured this out a couple weeks ago. You need netfilter
patch-o-matic extentions and a recent iptables added to your kernel
though.

# This says if the connection registered in IP_CONNTRACK has a mark on
it, pass that mark to the regular linux MARK ${IPTABLES} -t mangle -A
PREROUTING -j CONNMARK --restore-mark

# This is what I use to set the inbound marks. 
# Default policies for incoming traffic
${IPTABLES} -t mangle -A PREROUTING -m state --state NEW -i ${IF_INET3}
-j MARK --set-mark ${RTABLE_INET3}
${IPTABLES} -t mangle -A PREROUTING -m state --state NEW -i ${IF_INET4}
-j MARK --set-mark ${RTABLE_INET4}

# This places the linux MARK fields that I've just set into that
connection's IP_CONNTRACK so that the next time I see a packet from this
session, it will also be MARKed to whatever value the SYN was( because
of --restore-mark).
${IPTABLES} -t mangle -A PREROUTING -j CONNMARK --save-mark


This is just for inbound connections. The same can be performed for
outgoing connections. This makes is quite easy to implement layer 4
policy routing (done), and WAN failover (soon). Plus, this even handles
sessions where ESTABLISHED connections are made. Both original and
establiched connections both get MARKed back to the same interface. This
may not work with TC since I have never tried it. Good luck!
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2004-03-12  1:52 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-03-10 10:15 [LARTC] multipath route inbound port forward Ming-Ching Tiew
2004-03-10 15:34 ` Raphael Benedet
2004-03-11  1:54 ` Ming-Ching Tiew
2004-03-12  1:34 ` Ming-Ching Tiew
2004-03-12  1:52 ` Daniel Chemko

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.