DNAT for two external NIC

DNAT for two external NIC

[Mikhail]

  I have Linux gateway/firewall with 3 NIC: eth0 – LAN, eth1 – ISP1, eth2 –
ISP2.
I’ve got separate static IPs from each of the ISP (IP1 & IP2) which I
statically assigned to eth1 and eth2.
My default route points to ISP1 gateway via eth1. I need to provide external
access to a few computers on the LAN using different IPs and port numbers
(no load balancing and target machines are IP-specific). 
  Everything works fine if I use IP1 address but I was unable to get to the
corresponding LAN machine through IP2. Ping requests are also not responded
if they’re made to IP2. They do reach eth2 and I can see them using tcpdump
but then nothing goes out on any NIC. The same goes for TCP/IP requests –
I’ve managed to trace them to the nat table PREROUTING chain but they could
not be found in either INPUT or FORWARD chain of the mangle table. If I make
default route through eth2 – everything starts working through that NIC and
stops through eth1. I seem to be missing something simple. Any help is
greatly appreciated.

Mikhail.

Re: DNAT for two external NIC

[Pascal Hambourg]

Hello,

Mikhail a écrit :
>   Everything works fine if I use IP1 address but I was unable to get to the
> corresponding LAN machine through IP2. Ping requests are also not responded
> if they're made to IP2. They do reach eth2 and I can see them using tcpdump
> but then nothing goes out on any NIC. The same goes for TCP/IP requests -
> I've managed to trace them to the nat table PREROUTING chain but they could
> not be found in either INPUT or FORWARD chain of the mangle table. If I make
> default route through eth2 - everything starts working through that NIC and
> stops through eth1.

Maybe you need to disable rp_filter (reverse path filtering) on the 
interface that has not the default route.

sysctl -w net/ipv4/conf/eth2/rp_filter=0

Re: DNAT for two external NIC

[Florent Guiliani]

$> echo "2 ISP2" >> /etc/iproute2/rt_tables
$> ip route add default via gatewayISP2 dev devISP2 table ISP2
$> ip rule  add from IPISP2 lookup ISP2 prio 1000
$> ip route flush table cache

so ping will be ok on the ISP2, you will able to connect any services on 
your router throuht ISP2 but DNAT will only work with ISP1. I'm working 
on this problem. I think I will use Shorewall to so that automatically

Mikhail a écrit :
>   I have Linux gateway/firewall with 3 NIC: eth0 – LAN, eth1 – ISP1, eth2 –
> ISP2.
> I’ve got separate static IPs from each of the ISP (IP1 & IP2) which I
> statically assigned to eth1 and eth2.
> My default route points to ISP1 gateway via eth1. I need to provide external
> access to a few computers on the LAN using different IPs and port numbers
> (no load balancing and target machines are IP-specific). 
>   Everything works fine if I use IP1 address but I was unable to get to the
> corresponding LAN machine through IP2. Ping requests are also not responded
> if they’re made to IP2. They do reach eth2 and I can see them using tcpdump
> but then nothing goes out on any NIC. The same goes for TCP/IP requests –
> I’ve managed to trace them to the nat table PREROUTING chain but they could
> not be found in either INPUT or FORWARD chain of the mangle table. If I make
> default route through eth2 – everything starts working through that NIC and
> stops through eth1. I seem to be missing something simple. Any help is
> greatly appreciated.
> 
> Mikhail.
> 
> 
> 

-- 
     	*  Florent GUILIANI - Développement Système*
41, avenue Jean Jaurès - 67100 STRASBOURG
/Tel :/ 03.88.44.96.00 /- Fax :/ 03.88.44.96.29
/E-mail :/ fguiliani@perinfo.com <mailto:fguiliani@perinfo.com>
/Site Web :/ http://www.perinfo.com

DNAT for two external NIC

[Mikhail]

Pascal Hambourg wrote:
>Maybe you need to disable rp_filter (reverse path filtering) on the 
>interface that has not the default route.

>sysctl -w net/ipv4/conf/eth2/rp_filter=0

You're absolutely right; it requires that non- default interface had it set
to 0 if I want to do source-based routing. It is working like a charm now,
thank you.

Mikhail.

DNAT for two external NIC

[Ming-Ching Tiew]

Pascal Hambourg wrote :-

>Hello,
>
>Mikhail a écrit :
>>   Everything works fine if I use IP1 address but I was unable to get to the
>> corresponding LAN machine through IP2. Ping requests are also not responded
>> if they're made to IP2. They do reach eth2 and I can see them using tcpdump
>> but then nothing goes out on any NIC. The same goes for TCP/IP requests -
>> I've managed to trace them to the nat table PREROUTING chain but they could
>> not be found in either INPUT or FORWARD chain of the mangle table. If I make
> default route through eth2 - >everything starts working through that NIC and
>> stops through eth1.
>
>Maybe you need to disable rp_filter (reverse path filtering) on the
>interface that has not the default route.
>
>sysctl -w net/ipv4/conf/eth2/rp_filter=0

Isn't this a bug in rp_filter ? In multipath routing, it's often the system
will have multiple routing tables. The rp_filter seems to only look at
the main routing table.

Regards.

Re: DNAT for two external NIC

[longraider]

Ming-Ching Tiew wrote:

>>Maybe you need to disable rp_filter (reverse path filtering) on the
>>interface that has not the default route.
>>
>>sysctl -w net/ipv4/conf/eth2/rp_filter=0
> 
> Isn't this a bug in rp_filter ? In multipath routing, it's often the system
> will have multiple routing tables. The rp_filter seems to only look at
> the main routing table.
> 

It looks at different tables (according to ip rule). I've recently
posted a problem with the same solution. The problem was with the fwmark
in the ip rules.

http://lists.netfilter.org/pipermail/netfilter/2006-August/066553.html

-- 
mati

Re: DNAT for two external NIC

[Ming-Ching Tiew]

From: "longraider" <longraider@gazeta.pl>

> Ming-Ching Tiew wrote:
> 
> >>Maybe you need to disable rp_filter (reverse path filtering) on the
> >>interface that has not the default route.
> >>
> >>sysctl -w net/ipv4/conf/eth2/rp_filter=0
> > 
> > Isn't this a bug in rp_filter ? In multipath routing, it's often the system
> > will have multiple routing tables. The rp_filter seems to only look at
> > the main routing table.
> > 
> 
> It looks at different tables (according to ip rule). I've recently
> posted a problem with the same solution. The problem was with the fwmark
> in the ip rules.
> 
> http://lists.netfilter.org/pipermail/netfilter/2006-August/066553.html
> 

I did not go through your post carefully enough to know what you are talking
about. But my question was why do we have to turn off reverse filter path
checking to get multipath routing to work ? The original idea of reverse
filter path checking is to improve security by doing reverse path checking,
ie by checking the source IP address of all packets coming in via an interface 
against the networks known to be behind that interface, the firewall/router 
can simply drop packets that aren't supposed to come from there. In the
multipath routing case, the packets are INDEED supposed to be from the
interface where it is coming from, why they are dropped ?

Regards.

Re: DNAT for two external NIC

[Ming-Ching Tiew]

From: "Ming-Ching Tiew" <mingching.tiew@redtone.com>
> 
> I did not go through your post carefully enough to know what you are talking
> about. But my question was why do we have to turn off reverse filter path
> checking to get multipath routing to work ? The original idea of reverse
> filter path checking is to improve security by doing reverse path checking,
> ie by checking the source IP address of all packets coming in via an interface 
> against the networks known to be behind that interface, the firewall/router 
> can simply drop packets that aren't supposed to come from there. In the
> multipath routing case, the packets are INDEED supposed to be from the
> interface where it is coming from, why they are dropped ?
> 

Perhaps this is what this patch is all about ?

                     http://www.ssi.bg/~ja/#rp_filter_mask

I have noticed that Julian Anastasov's patch has existed long long time ago
but it is never included into the standard kernel. I really wonder why. 

Cheers.