From mboxrd@z Thu Jan 1 00:00:00 1970 From: Zoilo Gomez Date: Sun, 08 Oct 2006 10:14:11 +0000 Subject: Re: [LARTC] Two outbound internet links, using one network interface Message-Id: <4528CF73.7010706@xs4all.nl> List-Id: References: <45266C57.4010106@ma-isp.com> In-Reply-To: <45266C57.4010106@ma-isp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Dashamir Hoxha wrote: > Hi, > > I am trying to categorize the network traffic and to send it out > across two different providers. > For this I mark the packets in the firewall (in the PREROUTING chain > of table mangle), > and then use another routing table for the marked packets, which has a > different gateway > from the main routing table. Basicaly I am following the cookbook > example in this page: > http://linux-ip.net/html/adv-multi-internet.html > with some small changes and modifications. > > The most important difference is that I am trying to use just one > external network interface, > which is connected through a hub/switch to both of the ISP links. I > add two different IPs > to this interface, corresponding to each providers network. Then the > masquerading is done > with a rule like this: > > # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > instead of: > > # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 > # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source > 205.254.211.179 > How about using iproute2 (instead of MASQ / SNAT rule): => ip route add 192.168.10.0/24 dev eth0 src 192.168.10.1 => ip route add 192.168.100.0/24 dev eth0 src 192.168.100.1 > For the traffic that is generated in the LAN behind the box, it works, > but for the > traffic that is generated in the localhost (routing box), it does not > work. > Indeed, it cannot possibly work for the localhost with a setup like > this (with only > one external interface). As it can be seen in this document: > http://www.faqs.org/docs/iptables/traversingoftables.html > (Table 3-2. Source local host) > routing decision happens before the packet enters the chains of the > iptables > (the chain PREROUTING is not tranversed in this case). > > This is not a big problem (it is not so important that the traffic of > the routing box > be categorized as well), but trying to solve it, I came up with > another solution, > which seems simpler.The idea is to use something like this: > > --------------------------------------------------------------------------------- > > IPT=/sbin/iptables > PORT_LIST="22 53" > GATEWAY12.168.10.1 > GATEWAY22.168.100.1 > > for PORT in $PORT_LIST > do > $IPT -t nat -A POSTROUTING -o eth0 \ > -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 > done > > $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 > ----------------------------------------------------------------------------- > > I have not tested it yet but I don't see why it should not work. > > Also, I have seen somewhere that using two IPs on the same interface > may be risky > (may have security implications), but I don't see what they can be. If > somebody has > any idea of them and how to avoid them, please let me know. E.g. I > have heard about > "IP spoofing" but I don't understand what it is. Using VLANs, you can separate the networks on the link level instead. This is the same (in software) as using 2 different LAN ports (in hardware). Regards, Z. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc