From mboxrd@z Thu Jan 1 00:00:00 1970 From: Radu Oprisan Date: Wed, 11 Oct 2006 11:05:12 +0000 Subject: Re: [LARTC] Two outbound internet links, using one network interface Message-Id: <452CCFE8.4030602@securesystems.ro> List-Id: References: <45266C57.4010106@ma-isp.com> In-Reply-To: <45266C57.4010106@ma-isp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Dashamir Hoxha wrote: > Dashamir Hoxha wrote: >> Hi, >> >> I am trying to categorize the network traffic and to send it out >> across two different providers. >> For this I mark the packets in the firewall (in the PREROUTING chain >> of table mangle), >> and then use another routing table for the marked packets, which has >> a different gateway >> from the main routing table. Basicaly I am following the cookbook >> example in this page: >> http://linux-ip.net/html/adv-multi-internet.html >> with some small changes and modifications. >> >> The most important difference is that I am trying to use just one >> external network interface, >> which is connected through a hub/switch to both of the ISP links. I >> add two different IPs >> to this interface, corresponding to each providers network. Then the >> masquerading is done >> with a rule like this: >> >> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: >> >> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12 >> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source >> 205.254.211.179 >> >> For the traffic that is generated in the LAN behind the box, it >> works, but for the >> traffic that is generated in the localhost (routing box), it does not >> work. >> Indeed, it cannot possibly work for the localhost with a setup like >> this (with only >> one external interface). As it can be seen in this document: >> http://www.faqs.org/docs/iptables/traversingoftables.html >> (Table 3-2. Source local host) >> routing decision happens before the packet enters the chains of the >> iptables >> (the chain PREROUTING is not tranversed in this case). >> >> This is not a big problem (it is not so important that the traffic of >> the routing box >> be categorized as well), but trying to solve it, I came up with >> another solution, >> which seems simpler.The idea is to use something like this: >> >> --------------------------------------------------------------------------------- >> >> IPT=/sbin/iptables >> PORT_LIST="22 53" >> GATEWAY12.168.10.1 >> GATEWAY22.168.100.1 >> >> for PORT in $PORT_LIST >> do >> $IPT -t nat -A POSTROUTING -o eth0 \ >> -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 >> done >> >> $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 >> ----------------------------------------------------------------------------- >> >> >> >> I have not tested it yet but I don't see why it should not work. > for PORT in $PORT_LIST do $IPT -t nat -A PREROUTING -i eth_clients \ -p tcp --dport $PORT -j MARK --set-mark 0x01 done $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT --to-source $GATEWAY2 $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 > From the testing and meditation that I have done up to now, I have > arrived > at the conclusion that this is not a solution for the problem of > traffic categorization. > The reason is that POSTROUTING happens after the routing decision is > taken, > so the route that is chosen is not affected by the source IP of the > packet. > Am I right? > >> >> Also, I have seen somewhere that using two IPs on the same interface >> may be risky >> (may have security implications), but I don't see what they can be. >> If somebody has >> any idea of them and how to avoid them, please let me know. E.g. I >> have heard about >> "IP spoofing" but I don't understand what it is. >> >> Regards, >> Dashamir >> >> _______________________________________________ >> LARTC mailing list >> LARTC@mailman.ds9a.nl >> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >> >> > > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc