From: Colin Tree <coltree@tpg.com.au>
To: netfilter@lists.netfilter.org
Subject: dual/triple adsl router natting problem
Date: Thu, 23 Jun 2005 22:44:31 +1000 [thread overview]
Message-ID: <42BAAEAF.7060908@tpg.com.au> (raw)
Hi,
I'm new to the list and a babe with iptables.
I've tried various routing and filtering cominations
as described on different sites around the net and
for the moment am trying multihomed host as described on
routeskeeper.sourceforge
sorry its a bit long
My setup -
Debian Sarge (stable) no udev, etc, clean and simple
kernel 2.6.11 (from unstable)
iptables 1.2.11 (stable) should I go to 1.3.1 ?? (from unstable)
fiaif firewall disabled till we get the routing correct
at present testing with one internal pc
2x100M network cards eth0-2 each connected to an adsl bridged modem
each adsl line is layer 3 bridged with separate IP, GW, NET, BCAST /30
subnets.
1x1000M network card to internal switch and numerous pcs
ip rule add prio 1 from $IPE1 lookup 1
ip rule add prio 1 from $IPE2 lookup 2
### I couldn't get anything until I included the gateway
today I tried again with no gateway, now I can't get in from home.
ip route add table 1 to default dev $IFE1 via $GWE1
ip route add table 2 to default dev $IFE2 via $GWE2
ip route add to default \
nexthop dev $IFE1 via $GWE1 weight 1 \
nexthop dev $IFE2 via $GWE2 weight 1
iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \
-m state --state NEW -o $IFE1
iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \
-m state --state NEW -o $IFE2
iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \
-m state --state NEW
iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
ip rule add fwmark 1 lookup 1
ip rule add fwmark 2 lookup 2
iptables -A POSTROUTING -t nat -m mark --mark 1 \
-j SNAT --to-source $IPE1
iptables -A POSTROUTING -t nat -m mark --mark 2 \
-j SNAT --to-source $IPE2
###I can access the net and internal network from the gateway
I can ssh and vnc into the gateway from home
the dual path is nicely load sharing ??
root@mantrix:~# ping -I 58.6.33.214 google.com
PING google.com (216.239.39.99) from 58.6.33.214 : 56(84) bytes of data.
64 bytes from 216.239.39.99: icmp_seq=1 ttl=239 time=256 ms
root@mantrix:~# ping -I 58.6.33.210 google.com
PING google.com (216.239.37.99) from 58.6.33.210 : 56(84) bytes of data.
64 bytes from 216.239.37.99: icmp_seq=1 ttl=238 time=265 ms
root@mantrix:~# ping google.com
PING google.com (216.239.57.99) 56(84) bytes of data.
64 bytes from 216.239.57.99: icmp_seq=1 ttl=240 time=180 ms
Can access the gateway from the internal network.
We can't SNAT from the network out to the real world
Cheers,
Colin
next reply other threads:[~2005-06-23 12:44 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-23 12:44 Colin Tree [this message]
2005-06-23 13:08 ` dual/triple adsl router natting problem /dev/rob0
2005-06-23 15:02 ` Jan Engelhardt
-- strict thread matches above, loose matches on Subject: below --
2005-11-26 0:58 PassWord Sistemas
2005-11-27 11:58 ` Rob Sterenborg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=42BAAEAF.7060908@tpg.com.au \
--to=coltree@tpg.com.au \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.