* dual/triple adsl router natting problem
@ 2005-06-23 12:44 Colin Tree
2005-06-23 13:08 ` /dev/rob0
0 siblings, 1 reply; 5+ messages in thread
From: Colin Tree @ 2005-06-23 12:44 UTC (permalink / raw)
To: netfilter
Hi,
I'm new to the list and a babe with iptables.
I've tried various routing and filtering cominations
as described on different sites around the net and
for the moment am trying multihomed host as described on
routeskeeper.sourceforge
sorry its a bit long
My setup -
Debian Sarge (stable) no udev, etc, clean and simple
kernel 2.6.11 (from unstable)
iptables 1.2.11 (stable) should I go to 1.3.1 ?? (from unstable)
fiaif firewall disabled till we get the routing correct
at present testing with one internal pc
2x100M network cards eth0-2 each connected to an adsl bridged modem
each adsl line is layer 3 bridged with separate IP, GW, NET, BCAST /30
subnets.
1x1000M network card to internal switch and numerous pcs
ip rule add prio 1 from $IPE1 lookup 1
ip rule add prio 1 from $IPE2 lookup 2
### I couldn't get anything until I included the gateway
today I tried again with no gateway, now I can't get in from home.
ip route add table 1 to default dev $IFE1 via $GWE1
ip route add table 2 to default dev $IFE2 via $GWE2
ip route add to default \
nexthop dev $IFE1 via $GWE1 weight 1 \
nexthop dev $IFE2 via $GWE2 weight 1
iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 \
-m state --state NEW -o $IFE1
iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 \
-m state --state NEW -o $IFE2
iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark \
-m state --state NEW
iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
ip rule add fwmark 1 lookup 1
ip rule add fwmark 2 lookup 2
iptables -A POSTROUTING -t nat -m mark --mark 1 \
-j SNAT --to-source $IPE1
iptables -A POSTROUTING -t nat -m mark --mark 2 \
-j SNAT --to-source $IPE2
###I can access the net and internal network from the gateway
I can ssh and vnc into the gateway from home
the dual path is nicely load sharing ??
root@mantrix:~# ping -I 58.6.33.214 google.com
PING google.com (216.239.39.99) from 58.6.33.214 : 56(84) bytes of data.
64 bytes from 216.239.39.99: icmp_seq=1 ttl=239 time=256 ms
root@mantrix:~# ping -I 58.6.33.210 google.com
PING google.com (216.239.37.99) from 58.6.33.210 : 56(84) bytes of data.
64 bytes from 216.239.37.99: icmp_seq=1 ttl=238 time=265 ms
root@mantrix:~# ping google.com
PING google.com (216.239.57.99) 56(84) bytes of data.
64 bytes from 216.239.57.99: icmp_seq=1 ttl=240 time=180 ms
Can access the gateway from the internal network.
We can't SNAT from the network out to the real world
Cheers,
Colin
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dual/triple adsl router natting problem
2005-06-23 12:44 Colin Tree
@ 2005-06-23 13:08 ` /dev/rob0
2005-06-23 15:02 ` Jan Engelhardt
0 siblings, 1 reply; 5+ messages in thread
From: /dev/rob0 @ 2005-06-23 13:08 UTC (permalink / raw)
To: netfilter
On Thursday 23 June 2005 07:44, Colin Tree wrote:
> I've tried various routing and filtering cominations
> as described on different sites around the net and
I've used the patches here: http://www.ssi.bg/~ja/
and the HOWTO here: http://www.ssi.bg/~ja/nano.txt
to do multiple gateway routing.
--
mail to this address is discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: dual/triple adsl router natting problem
2005-06-23 13:08 ` /dev/rob0
@ 2005-06-23 15:02 ` Jan Engelhardt
0 siblings, 0 replies; 5+ messages in thread
From: Jan Engelhardt @ 2005-06-23 15:02 UTC (permalink / raw)
To: /dev/rob0; +Cc: netfilter
>> I've tried various routing and filtering cominations
>> as described on different sites around the net and
>
>I've used the patches here: http://www.ssi.bg/~ja/
>and the HOWTO here: http://www.ssi.bg/~ja/nano.txt
>to do multiple gateway routing.
well, a simple approach I once read worked something like (given that you have
ppp0 and ppp1) to distribute connections (not packets):
`route -n` goes like:
Destination Gateway Genmask Flags Metric Ref Use Iface
212.185.254.105 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
212.185.99.88 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
0.0.0.0 212.185.254.105 0.0.0.0 UG 0 0 0 ppp0
0.0.0.0 212.185.99.88 0.0.0.0 UG 0 0 0 ppp1
-A PREROUTING -o ppp0 -p tcp -m state --state NEW -m nth --every 2 -j ROUTE
--oif ppp1
-A POSTROUTING -j MASQUERADE -o ppp0
-A POSTROUTING -j MASQUERADE -o ppp1
i.e. that netfilter's nat was intelligent enough to get the idea of the
ROUTE target.
Jan Engelhardt
--
| Gesellschaft fuer Wissenschaftliche Datenverarbeitung Goettingen,
| Am Fassberg, 37077 Goettingen, www.gwdg.de
^ permalink raw reply [flat|nested] 5+ messages in thread
* dual/triple adsl router natting problem
@ 2005-11-26 0:58 PassWord Sistemas
2005-11-27 11:58 ` Rob Sterenborg
0 siblings, 1 reply; 5+ messages in thread
From: PassWord Sistemas @ 2005-11-26 0:58 UTC (permalink / raw)
To: netfilter
Hi, sorry for my bad english, i´m trying to share 2 adsl line in a lan
conected to one AP with 15 clients, but i can´t. I´m using Fedora Core 3
with a few lines scripts with one adsl line:
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --flush
iptables --table nat --flush
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
service named start
I need to include in this script the other adsl because the clients are
webing very slow.
Very thanks...
Federico.
Rawson - Argentina
^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: dual/triple adsl router natting problem
2005-11-26 0:58 dual/triple adsl router natting problem PassWord Sistemas
@ 2005-11-27 11:58 ` Rob Sterenborg
0 siblings, 0 replies; 5+ messages in thread
From: Rob Sterenborg @ 2005-11-27 11:58 UTC (permalink / raw)
To: netfilter
netfilter-bounces@lists.netfilter.org scribbled on :
> Hi, sorry for my bad english, i´m trying to share 2 adsl line in a lan
> conected to one AP with 15 clients, but i can´t. I´m using
> Fedora Core 3 with a few lines scripts with one adsl line:
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> iptables --flush
> iptables --table nat --flush
> iptables --table nat --append POSTROUTING --out-interface
> ppp0 -j MASQUERADE
> iptables --append FORWARD --in-interface eth0 -j ACCEPT
>
> service named start
So you're starting the DNS server. What about the firewall script ?
> I need to include in this script the other adsl because the
> clients are webing very slow.
It's not quite as simple as what you have above (having never done it
before I can't tell you exactly how difficult it will be).
Please look here (Google is your friend) :
http://www.ssi.bg/~ja/nano.txt
http://lartc.org/howto/lartc.rpdb.multiple-links.html
http://linux-ip.net/html/adv-multi-internet.html
http://lists.suse.com/archive/suse-linux-e/2003-Jul/1136.html
It seems you need to patch the kernel for some solutions :
http://www.ssi.bg/~ja/#routes
Gr,
Rob
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2005-11-27 11:58 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-26 0:58 dual/triple adsl router natting problem PassWord Sistemas
2005-11-27 11:58 ` Rob Sterenborg
-- strict thread matches above, loose matches on Subject: below --
2005-06-23 12:44 Colin Tree
2005-06-23 13:08 ` /dev/rob0
2005-06-23 15:02 ` Jan Engelhardt
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.