From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Frederiksen Date: Wed, 26 Oct 2005 01:20:30 +0000 Subject: Re: [LARTC] Ip Src rewite. Message-Id: <435ED9DE.9020805@cyberdoc.dk> List-Id: References: <435E26E3.2080204@cyberdoc.dk> In-Reply-To: <435E26E3.2080204@cyberdoc.dk> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org /dev/rob0 wrote: > On Tuesday 2005-October-25 17:03, Daniel Frederiksen wrote: > >>Well, yes my ISP has assigned me the two "classes", however the >>a.b.c.d/30 is a single IP through which the e.f.g.h/26 are routed >>through. The ISP is not routing the e.f.g.h/26 directly to the line, >>but through the single WAN IP a.b.c.e/30.. >>This is why all traffic going through is touched and marked as coming >>from the WAN instead of the External IP address. > > > What you describe sounds like NAT. Your gateway should be forwarding > that traffic with the source IP unchanged. Can you show us tcpdump or > iptables -j LOG of some of these packets' source IP being changed? I would like to supply some tcpdump data, but at the moment the amount of data flowing through is massive and extends to 118 systems. I was actually trying to simplify the scenario a little bit. The thing is I also have multiple lines with the same config running through the gateway/firewall as a multipath routed setup. Ok here goes, I'll try to define the complete setup: eth0 (WAN 1) IP: 80.16x.xxx.70/30 eth1 (WAN 2) IP: 80.16y.yyy.174/30 eth2 (Routed WAN 2 Class) IP: 80.16z.zzz.65/26 eth3 (Routed WAN 1 Class) IP: 62.24w.www.1/26 eth4 IP: 192.168.1.1/24 :~# ip ru 0: from all lookup local 32761: from 80.16x.xxx.70 lookup WAN1 32762: from 62.24w.www.0/26 lookup WAN1 32763: from 80.16z.zzz.64/26 lookup WAN2 32764: from 80.16y.yyy.174 lookup WAN2 32766: from all lookup main 32767: from all lookup default :~# ip r 80.16y.yyy.172/30 dev eth1 proto kernel scope link src 80.16y.yyy.174 80.16x.xxx.68/30 dev eth0 proto kernel scope link src 80.16x.xxx.70 80.16z.zzz.64/26 dev eth2 proto kernel scope link src 80.16z.zzz.65 62.24w.www.0/26 dev eth3 proto kernel scope link src 62.24w.www.1 192.168.1.0/24 dev eth4 proto kernel scope link src 192.168.1.1 default via 80.16x.xxx.69 dev eth0 The only other settings are: echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 80.16x.xxx.70 D'ooohhhh (Slaps his forehead).. Just found the problem.. Missing a "-s 192.168.1.0/24" in the above statement, to exclude everything except the LAN.. No wonder everything got nat'ed.. Well, I guess I'm buying the next round.. Anyway, thanks allot guys. You made my day and night.. /Daniel. > > I think we are missing part of the picture here. iptables-save; ip r l; > ip ru l; ip a l # all those might help. Munge consistently if you feel > compelled to munge. > > >>>>>>NB: Small diagram of the setup. >>>>>> >>>>>> DMZ GW/FW ISP/Internet >>>>>>----------------------------------------------------------------- >>>>>>------ Server #1 --| >>>>>> e.f.g.h3/26 | >>>>>> >>>>>> |---- Gateway/Firewall --- ISP WAN IP: a.b.c.d/30 >>>>>> >>>>>> Server #2 --| a.b.c.d1/30 Ext. IP: e.f.g.h/26 >>>>>> e.f.g.h4/26 e.f.g.h1/26 > > > "DMZ" implies there is a separate subnet, and perhaps a SNAT'ed LAN, > correct? You have 3 interfaces: internal, DMZ and external? Whether or > not there is an internal doesn't directly affect this, but anyway, that > is how I would set it up. > > Your DMZ machines should have e.f.g.h1 as their default gateway. Your > router machine should have whatever the ISP told you to use as its > default gateway (probably a.b.c.d2, I bet.) _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc