From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mart Frauenlob Date: Mon, 06 Mar 2006 17:23:27 +0000 Subject: Re: [LARTC] Dual ISP routing and NAT problem Message-Id: <440C700F.1040000@chello.at> List-Id: References: <44071C23.7040206@chello.at> In-Reply-To: <44071C23.7040206@chello.at> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hello, nobody even commented this post? What's wrong about it? Thank you Mart Mart Frauenlob wrote: > Hello newsgroup, > > I hope somebody with more routing experience then me can help me with > the problem I have. > > The setup is as described below. A dual internet provider routing, > multiple local area networks, and a dmz network with one public and one > private ip range. > I followed the instructions at lartc.org, and so far everything is working. > The default route is via 'PROV_STATIC', only packets comming from LAN > 192.168.111.0/24 are routed via 'PROV_DSL'. > Now if I want to do network address translation via iptables for certain > traffic coming into the dsl interface ppp0, > packets never reach their destination. > DNAT into DMZ or any of the LANs over the eth0 interface works as expected. > So for example applying a DNAT rule like: > 'iptables -t nat -A PREROUTING -i ppp0 -d 217.92.8.242 -p tcp --dport 80 > -j DNAT --to-destination 62.155.170.254' > fails. > > Same for NAT attempts into the LANs 192.168.112.0/24 and 192.168.113.0/24. > While DNAT into LAN 192.168.111.0/24 works perfectly. > > So I think the problem is that traffic from the DMZ and those two LANs > have the ip rules applied to end up in the the table 'PROV_STATIC'. > Which usually is what I want, but not in this case, where I want port or > protocol specific traffic to be routed differntly. > Is there a way to 'override' the default routing behaviour for i.e. http > traffic? > I tried the iptables ROUTE target, but did not get it working, but could > of course be my error. > Is there anything wrong with my current routing tables? > > Thank you for any help you can give. > > Best regards, > > Mart > > <-------------------------------------------------> > Setup: > > Firewall / Router: > 2 external interfaces > 3 lan interfaces > 1 dmz interface > > External interfaces: > 1 - PROV_STATIC: > IP: 62.155.170.250 > Network: 62.155.170.248/30 > Interface: static interface eth0 > global default route via: 62.155.170.249 > 2 - PROV_DSL: > IP: 217.92.8.242 > Peer: 217.6.98.186 > Interface: DSL interface ppp0 (pppoe over eth1) > > DMZ interface: > IP_1: 62.155.170.253 > Network_1: 62.155.170.252/30 > IP_2: 192.168.0.1 > Network_2: 192.168.0.0/24 > Interface: eth4 > > LAN interfaces: > 1: IP: 192.168.111.1 > Network: 192.168.111.0/24 > Interface: eth5 > 2: IP: 192.168.112.1 > Network: 192.168.112.0/24 > Interface: eth2 > 3: IP: 192.168.113.1 > Network: 192.168.113.0/24 > Interface: eth3 > > igor:/# ip route list table PROV_DSL > 217.6.98.186 dev ppp0 proto kernel scope link src 217.92.8.242 > 62.155.170.248/30 dev eth0 scope link src 62.155.170.250 > 62.155.170.252/30 dev eth4 proto kernel scope link src 62.155.170.253 > 192.168.112.0/24 dev eth2 proto kernel scope link src 192.168.112.1 > 192.168.113.0/24 dev eth3 proto kernel scope link src 192.168.113.1 > 192.168.0.0/24 dev eth4 proto kernel scope link src 192.168.0.1 > 192.168.111.0/24 dev eth5 proto kernel scope link src 192.168.111.1 > 10.0.0.0/8 via 192.168.111.3 dev eth5 proto kernel src 192.168.111.1 > 127.0.0.0/8 dev lo scope link > default via 217.6.98.186 dev ppp0 > > > igor:/# ip route list table PROV_STATIC > 217.6.98.186 dev ppp0 proto kernel scope link src 217.92.8.242 > 62.155.170.248/30 dev eth0 scope link src 62.155.170.250 > 62.155.170.252/30 dev eth4 proto kernel scope link src 62.155.170.253 > 192.168.112.0/24 dev eth2 proto kernel scope link src 192.168.112.1 > 192.168.113.0/24 dev eth3 proto kernel scope link src 192.168.113.1 > 192.168.0.0/24 dev eth4 proto kernel scope link src 192.168.0.1 > 192.168.111.0/24 dev eth5 proto kernel scope link src 192.168.111.1 > 10.0.0.0/8 via 192.168.111.3 dev eth5 proto kernel src 192.168.111.1 > 127.0.0.0/8 dev lo scope link > default via 62.155.170.249 dev eth0 > > > igor:/# ip route list > 217.6.98.186 dev ppp0 proto kernel scope link src 217.92.8.242 > 62.155.170.248/30 dev eth0 proto kernel scope link src 62.155.170.250 > 62.155.170.252/30 dev eth4 proto kernel scope link src 62.155.170.253 > 192.168.112.0/24 dev eth2 proto kernel scope link src 192.168.112.1 > 192.168.113.0/24 dev eth3 proto kernel scope link src 192.168.113.1 > 192.168.0.0/24 dev eth4 proto kernel scope link src 192.168.0.1 > 192.168.111.0/24 dev eth5 proto kernel scope link src 192.168.111.1 > 10.0.0.0/8 via 192.168.111.3 dev eth5 proto kernel > default via 62.155.170.249 dev eth0 > > > igor:/# ip rule list > 0: from all lookup local > 32759: from 192.168.0.0/24 lookup PROV_STATIC > 32760: from 62.155.170.252/30 lookup PROV_STATIC > 32761: from 192.168.113.0/24 lookup PROV_STATIC > 32762: from 192.168.112.0/24 lookup PROV_STATIC > 32763: from 192.168.111.0/24 lookup PROV_DSL > 32764: from 217.92.8.242 lookup PROV_DSL > 32765: from 62.155.170.250 lookup PROV_STATIC > 32766: from all lookup main > 32767: from all lookup default > <-------------------------------------------------> > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc