All of lore.kernel.org
 help / color / mirror / Atom feed
* How to make portforwarding work properly with two ISPs
@ 2006-02-28 21:33 Tommy W
  2006-03-01  0:16 ` Philip Craig
  0 siblings, 1 reply; 2+ messages in thread
From: Tommy W @ 2006-02-28 21:33 UTC (permalink / raw)
  To: netfilter

Hi
I'm having some trouble with getting my portforwarding to work.
Basically what I do is check for   destination ip and port, if they match my 
server's, then to DNAT to the correct box.
This works perfectly, unless the request is done on the "wrong" interface.
Meaning if a request comes in on my secondary interface.
I take it that ALL SENT to the GATEWAY will be redirected to the correct BOX 
BEHIND.. but it's when the BOX BEHIND starts talking back, it goes out on the 
standard interface instead of the secondary.
I use --set-mark 0x2 in the mangle table for getting traffic out on the 
secondary interface.

TELIA is my main line and BOSTREAM is my secondary line.
And this is the code used when doing portforwarding. only the first two 
commands work. the last two will fail (silently)

iptables -I PREROUTING -t nat -d $TELIAIP -p $PROTO -m $PROTO --dport $1 -j 
DNAT --to-destination $2:$3
iptables -I FORWARD -d $2 -i $TELIAIF -o $SRCIF -p $PROTO -m $PROTO --dport $3 
-j ACCEPT

iptables -I PREROUTING -t nat -d $BOSTREAMIP -p $PROTO -m $PROTO --dport $1 -j 
DNAT --to-destination $2:$3
iptables -I FORWARD -d $2 -i $BOSTREAMIF -o $SRCIF -p $PROTO -m $PROTO --dport 
$3 -j ACCEPT

Do I need to put the connection in some kind of connection tracking ?
I'm quite lost about this to be honest.
All help is appreciated

http://svearike.sytes.net/~ws/rc.firewall_

There's the firewall-script in it's whole.
If you find anything that looks stupid or if you have any other suggestions 
about the script, feel free to harrass me :)

Tommy W


^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: How to make portforwarding work properly with two ISPs
  2006-02-28 21:33 How to make portforwarding work properly with two ISPs Tommy W
@ 2006-03-01  0:16 ` Philip Craig
  0 siblings, 0 replies; 2+ messages in thread
From: Philip Craig @ 2006-03-01  0:16 UTC (permalink / raw)
  To: Tommy W; +Cc: netfilter

On 03/01/2006 07:33 AM, Tommy W wrote:
> Hi
> I'm having some trouble with getting my portforwarding to work.
> Basically what I do is check for   destination ip and port, if they match my 
> server's, then to DNAT to the correct box.
> This works perfectly, unless the request is done on the "wrong" interface.
> Meaning if a request comes in on my secondary interface.
> I take it that ALL SENT to the GATEWAY will be redirected to the correct BOX 
> BEHIND.. but it's when the BOX BEHIND starts talking back, it goes out on the 
> standard interface instead of the secondary.
> I use --set-mark 0x2 in the mangle table for getting traffic out on the 
> secondary interface.

The solution here is to remember that a connection was initiated on the
secondary, and set the mark on replies so that they go out the secondary.
I've had success doing this with something like this:

iptables -t mangle -A PREROUTING -i $BOSTREAMIF -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x2
iptables -t mangle -A PREROUTING -i $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark



^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-03-01  0:16 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-02-28 21:33 How to make portforwarding work properly with two ISPs Tommy W
2006-03-01  0:16 ` Philip Craig

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.