From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dashamir Hoxha Date: Wed, 11 Oct 2006 06:37:11 +0000 Subject: Re: [LARTC] Two outbound internet links, using one network interface Message-Id: <452C9117.4010508@ma-isp.com> List-Id: References: <45266C57.4010106@ma-isp.com> In-Reply-To: <45266C57.4010106@ma-isp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Dashamir Hoxha wrote: > Hi, > > I am trying to categorize the network traffic and to send it out > across two different providers. > For this I mark the packets in the firewall (in the PREROUTING chain > of table mangle), > and then use another routing table for the marked packets, which has a > different gateway > from the main routing table. Basicaly I am following the cookbook > example in this page: > http://linux-ip.net/html/adv-multi-internet.html > with some small changes and modifications. > > The most important difference is that I am trying to use just one > external network interface, > which is connected through a hub/switch to both of the ISP links. I > add two different IPs > to this interface, corresponding to each providers network. Then the > masquerading is done > with a rule like this: > > # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > instead of: > > # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 > # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source > 205.254.211.179 > > For the traffic that is generated in the LAN behind the box, it works, > but for the > traffic that is generated in the localhost (routing box), it does not > work. > Indeed, it cannot possibly work for the localhost with a setup like > this (with only > one external interface). As it can be seen in this document: > http://www.faqs.org/docs/iptables/traversingoftables.html > (Table 3-2. Source local host) > routing decision happens before the packet enters the chains of the > iptables > (the chain PREROUTING is not tranversed in this case). > > This is not a big problem (it is not so important that the traffic of > the routing box > be categorized as well), but trying to solve it, I came up with > another solution, > which seems simpler.The idea is to use something like this: > > --------------------------------------------------------------------------------- > > IPT=/sbin/iptables > PORT_LIST="22 53" > GATEWAY12.168.10.1 > GATEWAY22.168.100.1 > > for PORT in $PORT_LIST > do > $IPT -t nat -A POSTROUTING -o eth0 \ > -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 > done > > $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 > ----------------------------------------------------------------------------- > > > > I have not tested it yet but I don't see why it should not work. From the testing and meditation that I have done up to now, I have arrived at the conclusion that this is not a solution for the problem of traffic categorization. The reason is that POSTROUTING happens after the routing decision is taken, so the route that is chosen is not affected by the source IP of the packet. Am I right? > > Also, I have seen somewhere that using two IPs on the same interface > may be risky > (may have security implications), but I don't see what they can be. If > somebody has > any idea of them and how to avoid them, please let me know. E.g. I > have heard about > "IP spoofing" but I don't understand what it is. > > Regards, > Dashamir > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc