Dual ISPs - controlled path for certain ports - ip route 2 balancing for others

Dual ISPs - controlled path for certain ports - ip route 2 balancing for others

[Alistair Tonner]

	
	
	Okay folks, I've been poking at iptables for a while and I suspect that I've 
got the basics down.  However I've stumped myself and see that I'll have to 
fiddle this on the fly.

	(yes the isp's are in the same class A address range. *sigh*)

	ISP1 (AA.bb.0.0)      ISP2 (AA.abc.0.0)
                     |                                  |
          DSL link                       cable link
                    |                                    |
                    Linux firewall/gateway
     (gulp) -- and a few other services (YES  I KNOW ITS BAD!!!)
                                     |
                                     | 
                        Internal LAN (10.0.0.0)	


	I've managed to get both links working as individual default gateways
	however ISP2 suppresses ports to minimize the traffic (i.e. 80/25/110/etc)
	When I try to setup dual routing at all using LARTC, I have problems, and I
	realize that this is not the place to ask those questions.  I'm wondering if 
	there are rules I can use (consider that the webserver/mailserver and FTP 
	server are sadly on the firewall at the moment) to force the servers to reply
	via the DSL or internal lan only, even if the default route points at the
	cable link? (this would be a quick and dirty solution for me) -- the cable
	link will have to shortly support a VPN tunnel back to work.

	(Fyi -- This is all part of a promotion I just got at work ... *grin* since 
I'm now a unix admin I'm gonna look pretty silly if I barf on this)


	Alistair 

	(p.s. -- Antony ?? ?? anyone seen Antony lately??? hope he's doing well)

Re: Dual ISPs - controlled path for certain ports - ip route 2 balancing for others

[Primero]

[-- Attachment #1: Type: text/plain, Size: 1250 bytes --]

Alistair Tonner wrote:

>	
>	 I'm wondering if 
>	there are rules I can use (consider that the webserver/mailserver and FTP 
>	server are sadly on the firewall at the moment) to force the servers to reply
>	via the DSL or internal lan only, even if the default route points at the
>	cable link? (this would be a quick and dirty solution for me) -- the cablelink will have to shortly support a VPN tunnel back to work.
>  
>
i was using Iproute2 like u until a day i decided to "man iptables" ....

i've found in EXTENSIONS TARGET section:

....
ROUTE

       This is used to explicitly override the core network stack's 
routing decision.  mangle table.

       --oif ifname
              Route the packet through `ifname' network interface

       --iif ifname
              Change the packet's incoming interface to `ifname'

       --gw IP_address
              Route the packet via this gateway

       --continue
              Behave like a non-terminating target and continue 
traversing the rules.  Not valid in combination with `--iif'
....

this way u can use a normal matching syntax of iptables and change the 
routing decision about the "interesting traffic".
I hope it works since i had no time yet to try it out ... let us know :)

bye

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

Re: Dual ISPs - controlled path for certain ports - ip route 2 balancing for others

[Alistair Tonner]

On September 23, 2004 05:33 am, Primero wrote:
> Alistair Tonner wrote:
> >	 I'm wondering if
> >	there are rules I can use (consider that the webserver/mailserver and FTP
> >	server are sadly on the firewall at the moment) to force the servers to
> > reply via the DSL or internal lan only, even if the default route points
> > at the cable link? (this would be a quick and dirty solution for me) --
> > the cablelink will have to shortly support a VPN tunnel back to work.
>
> i was using Iproute2 like u until a day i decided to "man iptables" ....
>
> i've found in EXTENSIONS TARGET section:
>
> ....
> ROUTE
>
>        --continue
>               Behave like a non-terminating target and continue
> traversing the rules.  Not valid in combination with `--iif'
> ....
>
> this way u can use a normal matching syntax of iptables and change the
> routing decision about the "interesting traffic".
> I hope it works since i had no time yet to try it out ... let us know :)
>
	
	*thwacks* self in head -- yes .. I've noted this in the past myself.. .but it 
had just wandered off into space ... thanks ... I've just recompiled the 
kernel ... the reason it wandered was that ROUTE is NOT in most default 
kernel configs, its in patch-o-matic.  I'm running gentoo which does NOT have 
any consistent method of pulling in patch-o-matic.  POM on gentoo takes some 
more work than normal, but I've got patched in and up and runnng.  

	Further question to the list.  Consider that I'm using iproute2 to share the 
connection to two different ISP's, and I want specific traffic from my 
internal network to only go out one interface.  Where in mangle would I put 
these rules?

	For the moment I'm trying this by putting them in PREROUTING since I'd want 
the oif to OVERRIDE routing decisions -- I have my SNAT rules in place based 
on output interface, but perhaps my logic is wrong ...   Has anyone done this 
yet or am I headed for experimental territory??

	*grins*


	Alistair Tonner	
	Rogers Shared Operations, 
	Senior Operational Analyst, 
	(soon to be junior HP/UX os support)