* Re: [LARTC] NAT over 2 providers (not load balance)
2005-02-14 20:27 [LARTC] NAT over 2 providers (not load balance) Mihai Vlad
@ 2005-02-14 20:35 ` Ben
2005-02-14 20:47 ` /dev/rob0
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Ben @ 2005-02-14 20:35 UTC (permalink / raw)
To: lartc
I did this once upon a time, and have of course since lost the specific
commands. But, as I recall, you mark the the packets you want to send out
eth2, and then add a second route table with a second default GW for
packets with the appropriate mark.
Perhaps there is a more elegant solution out there.
On Mon, 14 Feb 2005, Mihai Vlad wrote:
> Hi guys,
>
> Can you take a look at this? :)
>
>
> +-----------+
> | |
> eth1-|- |
> | -|-eth0---LAN---
> | |
> eth2-|- |
> | |
> +-----------+
> -
>
> eth0 is connected to the LAN having the IP=LAN_IP
>
> eth1 is connected to the first ISP having IP=ISP_IP_1 and GW=ISP_GW_1
> eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2
>
> I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2.
>
> That would be something like:
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2
>
>
> This does not work since all the packets are forwarded to the default GW
> which is ISP_GW_1.
>
> How can I change this?
>
> As far as I remember, the routing decisions and policy are before the
> POSTROUTING chain in which the SNAT occurs...
>
> Please help!
>
> Mihai Vlad
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] NAT over 2 providers (not load balance)
2005-02-14 20:27 [LARTC] NAT over 2 providers (not load balance) Mihai Vlad
2005-02-14 20:35 ` Ben
@ 2005-02-14 20:47 ` /dev/rob0
2005-02-14 20:47 ` Tóth Nándor
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: /dev/rob0 @ 2005-02-14 20:47 UTC (permalink / raw)
To: lartc
On Monday 14 February 2005 14:27, Mihai Vlad wrote:
> Hi guys,
>
> Can you take a look at this? :)
>
> I need to selectively SNAT clients in the LAN to ISP_IP_1 or
> ISP_IP_2.
>
> That would be something like:
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source
> $ISP_IP_1
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source
> $ISP_IP_2
>
> This does not work since all the packets are forwarded to the default
> GW which is ISP_GW_1.
I think you still need the patches and routing commands as described in
the nano.txt file. You'd just plug in your customised SNAT rules in
place of the load-balancing ones.
I have a nano.txt'ed site with some special SNAT like this. I think
some of my $ISP2_IP_2 (2nd and subsequent IP's on ISP2) packets are
going out over ISP1's physical interface. I have not bothered to check
because it's working fine. :)
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] NAT over 2 providers (not load balance)
2005-02-14 20:27 [LARTC] NAT over 2 providers (not load balance) Mihai Vlad
2005-02-14 20:35 ` Ben
2005-02-14 20:47 ` /dev/rob0
@ 2005-02-14 20:47 ` Tóth Nándor
2005-02-14 21:58 ` Peter Surda
2005-02-14 22:19 ` Nguyen Dinh Nam
4 siblings, 0 replies; 6+ messages in thread
From: Tóth Nándor @ 2005-02-14 20:47 UTC (permalink / raw)
To: lartc
Hi!
Mihai Vlad wrote:
> Hi guys,
>
> Can you take a look at this? :)
>
>
> +-----------+
> | |
> eth1-|- |
> | -|-eth0---LAN---
> | |
> eth2-|- |
> | |
> +-----------+
> -
>
> eth0 is connected to the LAN having the IP=LAN_IP
>
> eth1 is connected to the first ISP having IP=ISP_IP_1 and GW=ISP_GW_1
> eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2
>
> I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2.
>
> That would be something like:
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2
>
>
> This does not work since all the packets are forwarded to the default GW
> which is ISP_GW_1.
>
> How can I change this?
>
> As far as I remember, the routing decisions and policy are before the
> POSTROUTING chain in which the SNAT occurs...
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j SNAT
--to-source $EXTERNAL_IP_ADDR
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE2 -j SNAT
--to-source $EXTERNAL_IP_ADDR2
And add some rules based on client's source ip address. (policy routing)
http://www.linux.com/howtos/Adv-Routing-HOWTO/lartc.rpdb.simple.shtml
--
Udv,
Nandor
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] NAT over 2 providers (not load balance)
2005-02-14 20:27 [LARTC] NAT over 2 providers (not load balance) Mihai Vlad
` (2 preceding siblings ...)
2005-02-14 20:47 ` Tóth Nándor
@ 2005-02-14 21:58 ` Peter Surda
2005-02-14 22:19 ` Nguyen Dinh Nam
4 siblings, 0 replies; 6+ messages in thread
From: Peter Surda @ 2005-02-14 21:58 UTC (permalink / raw)
To: lartc
On Mon, Feb 14, 2005 at 02:47:18PM -0600, /dev/rob0 wrote:
> > This does not work since all the packets are forwarded to the default
> > GW which is ISP_GW_1.
> I think you still need the patches and routing commands as described in
> the nano.txt file. You'd just plug in your customised SNAT rules in
> place of the load-balancing ones.
Actually, you only need them if you want to loadbalance. If you don't, you
just play a little with policy based routing (which works with "normal"
kernels too), like
ip route add via $ISP_GW_1 src $ISP_IP_1 dev eth1 table 101
# technically, if you keep iptables the way you have, you can leav out "src
# $ISP_1"
ip route add via $ISP_GW_2 src $ISP_IP_2 dev eth2 table 102
ip rule add from 172.17.31.5 table 101
ip rule add from 172.17.31.7 table 102
(in reality you may need a couple more rules to avoid problems with
communicating with other subnets if you have them, see LARTC HOWTO
"loadbalacing multiple providers").
In order to avoid having duplicate ip lists, I suggest you use -j MASQUERADE
(without -s) in iptables. In order to optimise for speed you could use
sub-subnets or hashes (if you have like dozens of computers, it shouldn't
matter, but with hundreds or thousands it might be necessary).
Bye,
Peter Surda (Shurdeek) <shurdeek@routehat.org>, ICQ 10236103, +436505122023
--
NT, now approaching 23x6 availability.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] NAT over 2 providers (not load balance)
2005-02-14 20:27 [LARTC] NAT over 2 providers (not load balance) Mihai Vlad
` (3 preceding siblings ...)
2005-02-14 21:58 ` Peter Surda
@ 2005-02-14 22:19 ` Nguyen Dinh Nam
4 siblings, 0 replies; 6+ messages in thread
From: Nguyen Dinh Nam @ 2005-02-14 22:19 UTC (permalink / raw)
To: lartc
> This does not work since all the packets are forwarded to the default GW
> which is ISP_GW_1.
in routing tables, you must have two rules to route packets with
different sources to different gateways first:
ip rule add from 172.17.31.5 lookup 1
ip route add table 1 default via $GW=ISP_GW_1
ip rule add from 172.17.31.7 lookup 2
ip route add table 2 default via $GW=ISP_GW_2
then
$IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1
$IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2
> As far as I remember, the routing decisions and policy are before the
> POSTROUTING chain in which the SNAT occurs...
Kernel Packet Traveling Diagram http://www.docum.org/docum.org/kptd/
might be helpful for you
in case you want load balacing your internet connections, you can
consult
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread