[LARTC] NAT over 2 providers (not load balance)

[LARTC] NAT over 2 providers (not load balance)

[Mihai Vlad]

Hi guys,

Can you take a look at this? :)


		+-----------+
		|           |
	 eth1-|-          |
		|          -|-eth0---LAN---
		|           |
	 eth2-|-          |
		|           |
		+-----------+
-

eth0 is connected to the LAN having the IP=LAN_IP

eth1 is connected to the first  ISP having IP=ISP_IP_1 and GW=ISP_GW_1
eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2

I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2.

That would be something like:
$IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1
$IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2


This does not work since all the packets are forwarded to the default GW
which is ISP_GW_1.

How can I change this?

As far as I remember, the routing decisions and policy are before the
POSTROUTING chain in which the SNAT occurs...

Please help!

Mihai Vlad  


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT over 2 providers (not load balance)

[Ben]

I did this once upon a time, and have of course since lost the specific 
commands. But, as I recall, you mark the the packets you want to send out 
eth2, and then add a second route table with a second default GW for 
packets with the appropriate mark.

Perhaps there is a more elegant solution out there.

On Mon, 14 Feb 2005, Mihai Vlad wrote:

> Hi guys,
> 
> Can you take a look at this? :)
> 
> 
> 		+-----------+
> 		|           |
> 	 eth1-|-          |
> 		|          -|-eth0---LAN---
> 		|           |
> 	 eth2-|-          |
> 		|           |
> 		+-----------+
> -
> 
> eth0 is connected to the LAN having the IP=LAN_IP
> 
> eth1 is connected to the first  ISP having IP=ISP_IP_1 and GW=ISP_GW_1
> eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2
> 
> I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2.
> 
> That would be something like:
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2
> 
> 
> This does not work since all the packets are forwarded to the default GW
> which is ISP_GW_1.
> 
> How can I change this?
> 
> As far as I remember, the routing decisions and policy are before the
> POSTROUTING chain in which the SNAT occurs...
> 
> Please help!
> 
> Mihai Vlad  
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT over 2 providers (not load balance)

[/dev/rob0]

On Monday 14 February 2005 14:27, Mihai Vlad wrote:
> Hi guys,
>
> Can you take a look at this? :)
>
> I need to selectively SNAT clients in the LAN to ISP_IP_1 or
> ISP_IP_2.
>
> That would be something like:
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source
> $ISP_IP_1
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source
> $ISP_IP_2 
>
> This does not work since all the packets are forwarded to the default
> GW which is ISP_GW_1.

I think you still need the patches and routing commands as described in 
the nano.txt file. You'd just plug in your customised SNAT rules in 
place of the load-balancing ones.

I have a nano.txt'ed site with some special SNAT like this. I think  
some of my $ISP2_IP_2 (2nd and subsequent IP's on ISP2) packets are 
going out over ISP1's physical interface. I have not bothered to check 
because it's working fine. :)
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT over 2 providers (not load balance)

[Tóth Nándor]

Hi!

Mihai Vlad wrote:
> Hi guys,
> 
> Can you take a look at this? :)
> 
> 
> 		+-----------+
> 		|           |
> 	 eth1-|-          |
> 		|          -|-eth0---LAN---
> 		|           |
> 	 eth2-|-          |
> 		|           |
> 		+-----------+
> -
> 
> eth0 is connected to the LAN having the IP=LAN_IP
> 
> eth1 is connected to the first  ISP having IP=ISP_IP_1 and GW=ISP_GW_1
> eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2
> 
> I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2.
> 
> That would be something like:
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1
> $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2
> 
> 
> This does not work since all the packets are forwarded to the default GW
> which is ISP_GW_1.
> 
> How can I change this?
> 
> As far as I remember, the routing decisions and policy are before the
> POSTROUTING chain in which the SNAT occurs...

$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE  -j SNAT 
--to-source $EXTERNAL_IP_ADDR
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE2  -j SNAT 
--to-source $EXTERNAL_IP_ADDR2

And add some rules based on client's source ip address. (policy routing)
http://www.linux.com/howtos/Adv-Routing-HOWTO/lartc.rpdb.simple.shtml


-- 
Udv,
   Nandor
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT over 2 providers (not load balance)

[Peter Surda]

On Mon, Feb 14, 2005 at 02:47:18PM -0600, /dev/rob0 wrote:
> > This does not work since all the packets are forwarded to the default
> > GW which is ISP_GW_1.
> I think you still need the patches and routing commands as described in 
> the nano.txt file. You'd just plug in your customised SNAT rules in 
> place of the load-balancing ones.
Actually, you only need them if you want to loadbalance. If you don't, you
just play a little with policy based routing (which works with "normal"
kernels too), like

ip route add via $ISP_GW_1 src $ISP_IP_1 dev eth1 table 101
# technically, if you keep iptables the way you have, you can leav out "src
# $ISP_1"
ip route add via $ISP_GW_2 src $ISP_IP_2 dev eth2 table 102
ip rule add from 172.17.31.5 table 101
ip rule add from 172.17.31.7 table 102

(in reality you may need a couple more rules to avoid problems with
communicating with other subnets if you have them, see LARTC HOWTO
"loadbalacing multiple providers").

In order to avoid having duplicate ip lists, I suggest you use -j MASQUERADE
(without -s) in iptables. In order to optimise for speed you could use
sub-subnets or hashes (if you have like dozens of computers, it shouldn't
matter, but with hundreds or thousands it might be necessary).

Bye,

Peter Surda (Shurdeek) <shurdeek@routehat.org>, ICQ 10236103, +436505122023

-- 
                NT, now approaching 23x6 availability.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] NAT over 2 providers (not load balance)

[Nguyen Dinh Nam]

> This does not work since all the packets are forwarded to the default GW
> which is ISP_GW_1.

in routing tables, you must have two rules to route packets with 
different sources to different gateways first:
ip rule add from 172.17.31.5 lookup 1
ip route add table 1 default via $GW=ISP_GW_1
ip rule add from 172.17.31.7 lookup 2
ip route add table 2 default via $GW=ISP_GW_2
then
$IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1
$IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2

> As far as I remember, the routing decisions and policy are before the
> POSTROUTING chain in which the SNAT occurs...

Kernel Packet Traveling Diagram http://www.docum.org/docum.org/kptd/ 
might be helpful for you

in case you want load balacing your internet connections, you can 
consult 
http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/