[LARTC] Fwd: Inbound and outbound traffic problem

[LARTC] Fwd: Inbound and outbound traffic problem

[Janis Daniel Bistevins]

[-- Attachment #1.1: Type: text/plain, Size: 2210 bytes --]

sorry if I can't explain correctly what my problem is.
What I need is to route traffic originated inside my lan by one ISP,
and traffic coming from another ISP (mostly requests to machines
inside the lan)back by the same ISP.
The way I've found is by creating two diferent networks inside my lan.
Those machines running services have two IP's on its NICs. That way I
can route depending the source of the packets.
I have a snapshot of my drawing, so you can figure this out.

http://www.iglobal.com.ar/~janis/snap0000.xpm


---------- Forwarded message ----------
From: Janis Daniel Bistevins <bistevins@gmail.com>
Date: Dec 19, 2005 12:05 PM
Subject: Inbound and outbound traffic problem
To: lartc@mailman.ds9a.nl


                                        +---------------+
          +----+   ISP A         |                     |
           |      |-----------------|                     |
          +----+                    |                     |
       +------+
                                        |  ROUTER       |    NET
C      |  www |
                                        |   LINUX
|----------------|          |
                                        |                     |
NET D     +-------+
          +----+    ISP B       |                     |
            |      |----------------|                     |
           +----+                  |                     |
                                       +----------------+


Hi!
I need that requests to www arriving from net ISP A returns by the
same route, but connections initiated from www go out by net ISP B.

The only way I have discovered so far is creating two differents
networks (NET C and NET D)
So, www have a route to ISP A by NET C and a default route by NET D .
On the Linux Router evereything coming from NET D is routed by NET B
and everything coming from NET C is routed by NET A
This is accomplished by creating logical interfaces on www and on the
Linux Router.

Is there another way to do this?

Thanks in advance.
Regards.

--
            Janis Bistevins
>Belief is 9/10 of YOUR reality<


--
            Janis Bistevins
>Belief is 9/10 of YOUR reality<

[-- Attachment #1.2: Type: text/html, Size: 5209 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Fwd: Inbound and outbound traffic problem

[Michael Davidson]

Hi,
    There is another way to do this, but I doubt that it is anymore 
elegant than what you have right now. I have just completed this same 
task and I can say that if I could have used your method - overlaying 
another subnet -I would have done so since it's a cleaner solution in my 
view.

I used iptables to "mark" the packets of the flows that where generated 
by the server ( WWW).
I created a second routing table with it's own default route.
I created an "ip rule" which looks for a "mark" on the packets and 
directs those packets to the new routing table.

Keep in mind, for this to work correctly you need to be using NAT or 
Masquerade on at least one of your ISP ports.

Regards Mike






Janis Daniel Bistevins wrote:

> sorry if I can't explain correctly what my problem is.
> What I need is to route traffic originated inside my lan by one ISP,
> and traffic coming from another ISP (mostly requests to machines
> inside the lan)back by the same ISP.
> The way I've found is by creating two diferent networks inside my lan.
> Those machines running services have two IP's on its NICs. That way I
> can route depending the source of the packets.
> I have a snapshot of my drawing, so you can figure this out.
>
> http://www.iglobal.com.ar/~janis/snap0000.xpm 
> <http://www.iglobal.com.ar/%7Ejanis/snap0000.xpm>
>
>
> ---------- Forwarded message ----------
> From: Janis Daniel Bistevins < bistevins@gmail.com 
> <mailto:bistevins@gmail.com>>
> Date: Dec 19, 2005 12:05 PM
> Subject: Inbound and outbound traffic problem
> To: lartc@mailman.ds9a.nl <mailto:lartc@mailman.ds9a.nl>
>
>
>                                         +---------------+
>           +----+   ISP A         |                     |
>            |      |-----------------|                     |
>           +----+                    |                     |
>        +------+
>                                         |  ROUTER       |    NET 
> C      |  www |
>                                         |   LINUX
> |----------------|          |
>                                         |                     |
> NET D     +-------+
>           +----+    ISP B       |                     |
>             |      |----------------|                     |
>            +----+                  |                     |
>                                        +----------------+
>
>
> Hi!
> I need that requests to www arriving from net ISP A returns by the
> same route, but connections initiated from www go out by net ISP B.
>
> The only way I have discovered so far is creating two differents
> networks (NET C and NET D)
> So, www have a route to ISP A by NET C and a default route by NET D .
> On the Linux Router evereything coming from NET D is routed by NET B
> and everything coming from NET C is routed by NET A
> This is accomplished by creating logical interfaces on www and on the
> Linux Router.
>
> Is there another way to do this?
>
> Thanks in advance.
> Regards.
>
> --
>             Janis Bistevins
> >Belief is 9/10 of YOUR reality<
>
>
> -- 
>             Janis Bistevins
> >Belief is 9/10 of YOUR reality<
>
>------------------------------------------------------------------------
>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>  
>

-- 

 Regards Mike.

 Michael Davidson
 Barone Budge & Dominick
 Email: michael@bbd.co.za
 Office: +27 11 532 8380
 BB&D :  +27 11 532 8300
 Fax:    +27 11 532 8400
 Mobile: +27 82 650 5707
 Home:   +27 11 452 4423	

 This e-mail is confidential and subject to the disclaimer published at
 http://www.bbd.co.za


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Fwd: Inbound and outbound traffic problem

[Janis Daniel Bistevins]

[-- Attachment #1.1: Type: text/plain, Size: 1529 bytes --]

Thanks Michael for your answer!
I finally did it in a way simillar as you described. Marking pakets and
using nat. BUT everything start working great  when I found a little detail:

echo "0" > /proc/sys/net/ipv4/conf/eth1 /rp_filter
echo "0" > /proc/sys/net/ipv4/conf/eth2/rp_filter

Without this, things were confused.

Where this come from? I found this trick in a HowTo from a Spain site:

http://bulma.net/body.phtml?nIdNoticia=1615

Nowhere else!
So, what I did, is a common mistake? Is this assumed by default in every
configuration and because of this, there is no comments about this in any
other tutorial or howto?

Anyway, ones again Mike, thank you!!

Best regards

J.D.Bistevins


On 12/20/05, Michael Davidson <michael@bbd.co.za> wrote:
>
> Hi,
>     There is another way to do this, but I doubt that it is anymore
> elegant than what you have right now. I have just completed this same
> task and I can say that if I could have used your method - overlaying
> another subnet -I would have done so since it's a cleaner solution in my
> view.
>
> I used iptables to "mark" the packets of the flows that where generated
> by the server ( WWW).
> I created a second routing table with it's own default route.
> I created an "ip rule" which looks for a "mark" on the packets and
> directs those packets to the new routing table.
>
> Keep in mind, for this to work correctly you need to be using NAT or
> Masquerade on at least one of your ISP ports.
>
> Regards Mike
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 2128 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Fwd: Inbound and outbound traffic problem

[Michael Davidson]

hi,
    Damn!!! yes I forgot to mention this. This is to do with "anti 
spoofing". In Redhat distro's it is switched on by default.

A brief simplistic explanation:

 A  packet is routed to your machine based on the destination address 
(obvious),  the source address isn't checked along the the route, and 
you could put anything in there. The final delivery to a computer is 
based on the MAC of the interface card, the interface card doesn't even 
understand IP let alone do any address checking. This means that someone 
could send you malicious  packet(s) with a source IP address that is in 
the range used on your internal  LAN, in other words a friendly address. 
This then is the "spoof"

The anti-spoofing mechanism checks the source address of the packets and 
the interface it arrived on and reconciles that against the IP subnet 
that is associated with that interface. If there there is a mis-match 
the packet is discarded. For example: if your internal LAN is using 
10.7.1.0/24 on eth1 then a packet arriving on eth0 with a source 
address  in that range will be discarded.

This next bit is a guess because I have not read it anywhere: The 
anti-spoofing mechanism also does not allow you to transmit packets out 
of an interface with destination addresses that are not appropiate for 
that LAN. The exception of course  is the interface which is seen as the 
route to the "default gateway" as listed in the "main" routing table.

You can now see why you need to remove the anti-spoofing mechanism from 
the second Internet interface. Just declaring a second "default gateway" 
in another routing table does not change things.

Now that that automatic protection has been removed from the second 
Internet interface you should put some rules in your iptables to compensate.

Finally if you think that by hiding behind a FW doing NAT no one out 
there on the internet can see your internal addresses then you would be 
wrong. Apart from other applications your Internet browser tells the 
world  what IP address your PC is using.

Regards Mike.




Janis Daniel Bistevins wrote:

> Thanks Michael for your answer!
> I finally did it in a way simillar as you described. Marking pakets 
> and using nat. BUT everything start working great  when I found a 
> little detail:
>  
> echo "0" > /proc/sys/net/ipv4/conf/eth1
> /rp_filter
> echo "0" > /proc/sys/net/ipv4/conf/eth2/rp_filter
>
> Without this, things were confused.
>
> Where this come from? I found this trick in a HowTo from a Spain site:
>
> http://bulma.net/body.phtml?nIdNoticia\x1615
>
> Nowhere else!
> So, what I did, is a common mistake? Is this assumed by default in 
> every configuration and because of this, there is no comments about 
> this in any other tutorial or howto?
>
> Anyway, ones again Mike, thank you!!
>
> Best regards
>
> J.D.Bistevins
>
>
> On 12/20/05, *Michael Davidson* <michael@bbd.co.za 
> <mailto:michael@bbd.co.za>> wrote:
>
>     Hi,
>         There is another way to do this, but I doubt that it is anymore
>     elegant than what you have right now. I have just completed this same
>     task and I can say that if I could have used your method - overlaying
>     another subnet -I would have done so since it's a cleaner solution
>     in my
>     view.
>
>     I used iptables to "mark" the packets of the flows that where
>     generated
>     by the server ( WWW).
>     I created a second routing table with it's own default route.
>     I created an "ip rule" which looks for a "mark" on the packets and
>     directs those packets to the new routing table.
>
>     Keep in mind, for this to work correctly you need to be using NAT or
>     Masquerade on at least one of your ISP ports.
>
>     Regards Mike
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>  
>

-- 

 Regards Mike.

 Michael Davidson
 Barone Budge & Dominick
 Email: michael@bbd.co.za
 Office: +27 11 532 8380
 BB&D :  +27 11 532 8300
 Fax:    +27 11 532 8400
 Mobile: +27 82 650 5707
 Home:   +27 11 452 4423	

 This e-mail is confidential and subject to the disclaimer published at
 http://www.bbd.co.za


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] Fwd: Inbound and outbound traffic problem

[Jody Shumaker]

[-- Attachment #1.1: Type: text/plain, Size: 3759 bytes --]

Both solutions mentioned in here seem to be overly complicated.  All of this
should be doable with just a proper routing setup. I recently setup
multi-link routing and used mostly the info in
http://www.ssi.bg/~ja/nano.txt and the mpath2.sh script linked at
http://www.ssi.bg/~ja/

The one change I did was to only have a default gateway for the one isp I
wanted.  aka instead of
ip route add default table 222 proto static \
        nexthop via GWE1 dev IFE1 weight 1\
        nexthop via GWE2 dev IFE2 weight 1

mentioned in the docs i only use:
ip route add default table 222 proto static \
        nexthop via GWE1 dev IFE1 weight 1

With this setup, all traffic originating from my network, goes out through
the one default route I specified.  However incomming connections from
either isp always go back out the same isp they came in from.  I don't have
any connection marking or seperate internal networks setup. Basically tables
201 and 202 select the route based on the src address, and this works with
NAT as well because it tracks a connection and will remember which src
address to translate it back to.

- Jody

On 12/20/05, Janis Daniel Bistevins <bistevins@gmail.com> wrote:
>
> sorry if I can't explain correctly what my problem is.
> What I need is to route traffic originated inside my lan by one ISP,
> and traffic coming from another ISP (mostly requests to machines
> inside the lan)back by the same ISP.
> The way I've found is by creating two diferent networks inside my lan.
> Those machines running services have two IP's on its NICs. That way I
> can route depending the source of the packets.
> I have a snapshot of my drawing, so you can figure this out.
>
> http://www.iglobal.com.ar/~janis/snap0000.xpm<http://www.iglobal.com.ar/%7Ejanis/snap0000.xpm>
>
>
> ---------- Forwarded message ----------
> From: Janis Daniel Bistevins < bistevins@gmail.com>
> Date: Dec 19, 2005 12:05 PM
> Subject: Inbound and outbound traffic problem
> To: lartc@mailman.ds9a.nl
>
>
>                                         +---------------+
>           +----+   ISP A         |                     |
>            |      |-----------------|                     |
>           +----+                    |                     |
>        +------+
>                                         |  ROUTER       |    NET
> C      |  www |
>                                         |   LINUX
> |----------------|          |
>                                         |                     |
> NET D     +-------+
>           +----+    ISP B       |                     |
>             |      |----------------|                     |
>            +----+                  |                     |
>                                        +----------------+
>
>
> Hi!
> I need that requests to www arriving from net ISP A returns by the
> same route, but connections initiated from www go out by net ISP B.
>
> The only way I have discovered so far is creating two differents
> networks (NET C and NET D)
> So, www have a route to ISP A by NET C and a default route by NET D .
> On the Linux Router evereything coming from NET D is routed by NET B
> and everything coming from NET C is routed by NET A
> This is accomplished by creating logical interfaces on www and on the
> Linux Router.
>
> Is there another way to do this?
>
> Thanks in advance.
> Regards.
>
> --
>             Janis Bistevins
> >Belief is 9/10 of YOUR reality<
>
>
> --
>             Janis Bistevins
> >Belief is 9/10 of YOUR reality<
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 7664 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc