* [LARTC] source policy routing going to wrong path
@ 2004-11-15 1:23 ro0ot
2004-11-15 9:41 ` Paul Zirnik
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: ro0ot @ 2004-11-15 1:23 UTC (permalink / raw)
To: lartc
Hi,
Below is my Linux firewall network configuration: -
eth0 - isp 1, IP: 1.1.1.10, Netmask: 255.255.255.252
eth1 - isp 2, IP: 2.2.2.10, Netmask: 255.255.255.252
eth2 - lan, IP: 172.16.0.254, Netmask: 255.255.255.0
eth3 - dmz, 192.168.0.254, Netmask: 255.255.255.0
isp 1 gateway: 1.1.1.9
isp 2 gateway: 2.2.2.9
Below is my iptables rules: -
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination
172.16.0.1
iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination
192.168.0.1
iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to-source 1.1.1.10
iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 2.2.2.10
Below is my split access routing for multiple providers: -
# First ISP
ip route add 1.1.1.8/30 dev eth0 src 1.1.1.10 table 1
ip route add default via 1.1.1.9 table 1
# Second ISP
ip route add 2.2.2.8/30 dev eth1 src 2.2.2.10 table 2
ip route add default via 2.2.2.9 table 2
#
ip rule add from 1.1.1.8/30 lookup 1
ip rule add from 2.2.2.8/30 lookup 2
# My default choice of gateway
ip route add default via 1.1.1.9
#
ip route add 2.2.2.8/30 dev eth1 table 1
ip route add 172.16.0.0/24 dev eth2 table 1
ip route add 192.168.0.0/24 dev eth3 table 1
ip route add 127.0.0.0/8 dev lo table 1
#
ip route add 1.1.1.8/30 dev eth0 table 2
ip route add 172.16.0.0/24 dev eth2 table 2
ip route add 192.168.0.0/24 dev eth3 table 2
ip route add 127.0.0.0/8 dev lo table 2
When I perform a traceroute from a workstation with the IP address of
192.168.0.1 and gateway 192.168.0.254, I can see the result of the
traceroute going through the 1.1.1.9 gateway, why? It suppose to SNAT
to 2.2.2.10 via 2.2.2.9 gateway.
Regards,
ro0ot
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] source policy routing going to wrong path
2004-11-15 1:23 [LARTC] source policy routing going to wrong path ro0ot
@ 2004-11-15 9:41 ` Paul Zirnik
2004-11-15 17:26 ` ro0ot
2004-11-15 17:30 ` Chris Bennett
2 siblings, 0 replies; 4+ messages in thread
From: Paul Zirnik @ 2004-11-15 9:41 UTC (permalink / raw)
To: lartc
On Mon, 15 Nov 2004, ro0ot wrote:
> Hi,
>
> Below is my Linux firewall network configuration: -
>
> eth0 - isp 1, IP: 1.1.1.10, Netmask: 255.255.255.252
> eth1 - isp 2, IP: 2.2.2.10, Netmask: 255.255.255.252
> eth2 - lan, IP: 172.16.0.254, Netmask: 255.255.255.0
> eth3 - dmz, 192.168.0.254, Netmask: 255.255.255.0
>
> isp 1 gateway: 1.1.1.9
> isp 2 gateway: 2.2.2.9
>
>
> Below is my iptables rules: -
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination 172.16.0.1
> iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination 192.168.0.1
>
> iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to-source 1.1.1.10
> iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 2.2.2.10
POSTROUTING (as the name says it) happens after all routing discussions
are made, just before the paket reaches the line.
So you need some more ip rules to push the pakets on the right way.
> When I perform a traceroute from a workstation with the IP address of
> 192.168.0.1 and gateway 192.168.0.254, I can see the result of the traceroute
> going through the 1.1.1.9 gateway, why? It suppose to SNAT to 2.2.2.10 via
> 2.2.2.9 gateway.
greets,
Tami
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] source policy routing going to wrong path
2004-11-15 1:23 [LARTC] source policy routing going to wrong path ro0ot
2004-11-15 9:41 ` Paul Zirnik
@ 2004-11-15 17:26 ` ro0ot
2004-11-15 17:30 ` Chris Bennett
2 siblings, 0 replies; 4+ messages in thread
From: ro0ot @ 2004-11-15 17:26 UTC (permalink / raw)
To: lartc
Hi Tami,
I added the following and it helps...
ip rule add nat 1.1.1.10 from 172.16.0.1 table 1
ip rule add nat 2.2.2.10 from 192.168.0.1 table 2
Is the above two lines correct?
Regards,
ro0ot
Paul Zirnik wrote:
>On Mon, 15 Nov 2004, ro0ot wrote:
>
>
>
>>Hi,
>>
>>Below is my Linux firewall network configuration: -
>>
>>eth0 - isp 1, IP: 1.1.1.10, Netmask: 255.255.255.252
>>eth1 - isp 2, IP: 2.2.2.10, Netmask: 255.255.255.252
>>eth2 - lan, IP: 172.16.0.254, Netmask: 255.255.255.0
>>eth3 - dmz, 192.168.0.254, Netmask: 255.255.255.0
>>
>>isp 1 gateway: 1.1.1.9
>>isp 2 gateway: 2.2.2.9
>>
>>
>>Below is my iptables rules: -
>>
>>echo 1 > /proc/sys/net/ipv4/ip_forward
>>
>>iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination 172.16.0.1
>>iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination 192.168.0.1
>>
>>iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to-source 1.1.1.10
>>iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 2.2.2.10
>>
>>
>
>POSTROUTING (as the name says it) happens after all routing discussions
>are made, just before the paket reaches the line.
>So you need some more ip rules to push the pakets on the right way.
>
>
>
>>When I perform a traceroute from a workstation with the IP address of
>>192.168.0.1 and gateway 192.168.0.254, I can see the result of the traceroute
>>going through the 1.1.1.9 gateway, why? It suppose to SNAT to 2.2.2.10 via
>>2.2.2.9 gateway.
>>
>>
>
>greets,
> Tami
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] source policy routing going to wrong path
2004-11-15 1:23 [LARTC] source policy routing going to wrong path ro0ot
2004-11-15 9:41 ` Paul Zirnik
2004-11-15 17:26 ` ro0ot
@ 2004-11-15 17:30 ` Chris Bennett
2 siblings, 0 replies; 4+ messages in thread
From: Chris Bennett @ 2004-11-15 17:30 UTC (permalink / raw)
To: lartc
Hi ro0ot,
You may be running into the same problem that I was dealing with this
weekend.
I tried to follow the LARTC FAQ on multiple internet connections (in my case
two ADSL connections) and I found that the information got me most of the
way but not the whole way.
Specifically, the thing that I discovered was that in a situation like ours,
the routing rules need to apply to the *internal* IP addresses, not the
public ones. I know this seems bizarre since the actual routing tables
references the public IPs, but apparently the routing rule is triggered
*before* the preroute.
So given what worked for me, I'd suggest changing from this:
ip rule add from 1.1.1.8/30 lookup 1
ip rule add from 2.2.2.8/30 lookup 2
to this:
ip rule add from 172.16.0.0/24 lookup 1
ip rule add from 192.168.0.0/24 lookup 2
Maybe the LARTC FAQ on this subject needs to be updated a little bit.
Chris
----- Original Message -----
From: "ro0ot" <ro0ot@phreaker.net>
To: "LARTC" <lartc@mailman.ds9a.nl>
Sent: Sunday, November 14, 2004 7:23 PM
Subject: [LARTC] source policy routing going to wrong path
> Hi,
>
> Below is my Linux firewall network configuration: -
>
> eth0 - isp 1, IP: 1.1.1.10, Netmask: 255.255.255.252
> eth1 - isp 2, IP: 2.2.2.10, Netmask: 255.255.255.252
> eth2 - lan, IP: 172.16.0.254, Netmask: 255.255.255.0
> eth3 - dmz, 192.168.0.254, Netmask: 255.255.255.0
>
> isp 1 gateway: 1.1.1.9
> isp 2 gateway: 2.2.2.9
>
>
> Below is my iptables rules: -
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination
> 172.16.0.1
> iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination
> 192.168.0.1
>
> iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to-source 1.1.1.10
> iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 2.2.2.10
>
>
> Below is my split access routing for multiple providers: -
>
> # First ISP
> ip route add 1.1.1.8/30 dev eth0 src 1.1.1.10 table 1
> ip route add default via 1.1.1.9 table 1
>
> # Second ISP
> ip route add 2.2.2.8/30 dev eth1 src 2.2.2.10 table 2
> ip route add default via 2.2.2.9 table 2
>
> #
> ip rule add from 1.1.1.8/30 lookup 1
> ip rule add from 2.2.2.8/30 lookup 2
>
> # My default choice of gateway
> ip route add default via 1.1.1.9
>
> #
> ip route add 2.2.2.8/30 dev eth1 table 1
> ip route add 172.16.0.0/24 dev eth2 table 1
> ip route add 192.168.0.0/24 dev eth3 table 1
> ip route add 127.0.0.0/8 dev lo table 1
>
> #
> ip route add 1.1.1.8/30 dev eth0 table 2
> ip route add 172.16.0.0/24 dev eth2 table 2
> ip route add 192.168.0.0/24 dev eth3 table 2
> ip route add 127.0.0.0/8 dev lo table 2
>
> When I perform a traceroute from a workstation with the IP address of
> 192.168.0.1 and gateway 192.168.0.254, I can see the result of the
> traceroute going through the 1.1.1.9 gateway, why? It suppose to SNAT to
> 2.2.2.10 via 2.2.2.9 gateway.
>
> Regards,
> ro0ot
>
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-11-15 17:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-11-15 1:23 [LARTC] source policy routing going to wrong path ro0ot
2004-11-15 9:41 ` Paul Zirnik
2004-11-15 17:26 ` ro0ot
2004-11-15 17:30 ` Chris Bennett
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.