[LARTC] Ip route cache problem

[LARTC] Ip route cache problem

[Luca Maragnani]

Hello,
I need some help about a routing problem on a complex configuration.

The problem is that I can't reach from services outside from my DMZ.

The scenario is a gateway linked to three internet connections, so that 
I used three distinct iproute2 tables for routing. The gw is running 
ipvs for balancing over the dmz's servers.

DMZ servers are on 192.168.1.0/24 network, .

Every table has the route to reach :
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1

I'm using iptables to NAT a server on my DMZ to reach DNS services outsides:
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 151.99.0.100 
--dport 53 -j SNAT --to-source 81.77.88.99

Looking inside the cache I find only the route to reach the dns server, 
but not the one that the dns needs to reach my server:
151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2  src 192.168.1.249
    cache <src-direct>  mtu 1500 advmss 1460 metric10 64 iif eth0

I experieced in the past that reentering the iptables nat command 
worked, but it seems a random effect and not always works.

Thank's in advance,
Luca Maragnani

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

RE: [LARTC] Ip route cache problem

[Ionut Popovici]

[-- Attachment #1: Type: text/plain, Size: 1307 bytes --]

>Hello,
>I need some help about a routing problem on a complex configuration.

>The problem is that I can't reach from services outside from my DMZ.

>The scenario is a gateway linked to three internet connections, so that 
>I used three distinct iproute2 tables for routing. The gw is running 
>ipvs for balancing over the dmz's servers.

>DMZ servers are on 192.168.1.0/24 network, .

>Every table has the route to reach :
>192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1

>I'm using iptables to NAT a server on my DMZ to reach DNS services outsides:
>iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 151.99.0.100 
>--dport 53 -j SNAT --to-source 81.77.88.99
Have u try to use DNAT from iptables because dnat is in PREROTING , and if u have a dns service u need to make the outside service connection to connect 2 your dns server !

>Looking inside the cache I find only the route to reach the dns server, 
>but not the one that the dns needs to reach my server:
>151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2  src 192.168.1.249
>    cache <src-direct>  mtu 1500 advmss 1460 metric10 64 iif eth0
>
>I experieced in the past that reentering the iptables nat command 
>worked, but it seems a random effect and not always works.
>
>Thank's in advance,
>Luca Maragnani


[-- Attachment #2: ionut.vcf --]
[-- Type: text/x-vcard, Size: 836 bytes --]

begin:vcard
fn:Popovici Ionut
n:Ionut;Popovici
org:ISP TOPALL SRL;IT & Network Administrator
adr:Bl.13;;Stefan cel Mare ;Roman;Neamt;5550;Romania
email;internet:ionut@topall.ro
title:Administrator
tel;work:+40-233-742419
tel;fax:+40-233-744881
tel;home:+40-233-720881
tel;cell:+40-746-251059
note;quoted-printable:.........................................................................=
	=0D=0A=
	Privileged/Confidential Information may be contained in this message. If=0D=0A=
	you are not the addressee indicated in this message (or responsible for=0D=0A=
	delivery of the message to such person), you may not copy or deliver this=
	=0D=0A=
	message to anyone. In such a case, you should destroy this message and=0D=0A=
	kindly notify the sender by reply e-mail. 
x-mozilla-html:FALSE
url:http://www.topall.ro
version:2.1
end:vcard


[-- Attachment #3: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Ip route cache problem

[Luca Maragnani]

Sorry, surely I did'nt explained well the problem.

I don't have DNS services. I need to access dns server at 151.99.0.100 
from my servers which have private ip addresses. I think the only thing 
I need is to SNAT the connection.

Thank's all the same
Luca


Ionut Popovici wrote:

>> Hello,
>> I need some help about a routing problem on a complex configuration.
>
>
>> The problem is that I can't reach from services outside from my DMZ.
>
>
>> The scenario is a gateway linked to three internet connections, so 
>> that I used three distinct iproute2 tables for routing. The gw is 
>> running ipvs for balancing over the dmz's servers.
>
>
>> DMZ servers are on 192.168.1.0/24 network, .
>
>
>> Every table has the route to reach :
>> 192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1
>
>
>> I'm using iptables to NAT a server on my DMZ to reach DNS services 
>> outsides:
>> iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 
>> 151.99.0.100 --dport 53 -j SNAT --to-source 81.77.88.99
>
> Have u try to use DNAT from iptables because dnat is in PREROTING , 
> and if u have a dns service u need to make the outside service 
> connection to connect 2 your dns server !
>
>> Looking inside the cache I find only the route to reach the dns 
>> server, but not the one that the dns needs to reach my server:
>> 151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2  src 
>> 192.168.1.249
>>    cache <src-direct>  mtu 1500 advmss 1460 metric10 64 iif eth0
>>
>> I experieced in the past that reentering the iptables nat command 
>> worked, but it seems a random effect and not always works.
>>
>> Thank's in advance,
>> Luca Maragnani
>
>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>  
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc