From mboxrd@z Thu Jan 1 00:00:00 1970 From: Radu Oprisan Date: Wed, 11 Oct 2006 11:17:23 +0000 Subject: Re: [LARTC] Two outbound internet links, using one network interface Message-Id: <452CD2C3.6070902@securesystems.ro> List-Id: References: <45266C57.4010106@ma-isp.com> In-Reply-To: <45266C57.4010106@ma-isp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Radu Oprisan wrote: > Dashamir Hoxha wrote: >> Dashamir Hoxha wrote: >>> Hi, >>> >>> I am trying to categorize the network traffic and to send it out >>> across two different providers. >>> For this I mark the packets in the firewall (in the PREROUTING chain >>> of table mangle), >>> and then use another routing table for the marked packets, which has >>> a different gateway >>> from the main routing table. Basicaly I am following the cookbook >>> example in this page: >>> http://linux-ip.net/html/adv-multi-internet.html >>> with some small changes and modifications. >>> >>> The most important difference is that I am trying to use just one >>> external network interface, >>> which is connected through a hub/switch to both of the ISP links. >>> I add two different IPs >>> to this interface, corresponding to each providers network. Then the >>> masquerading is done >>> with a rule like this: >>> >>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: >>> >>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source >>> 67.17.28.12 >>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source >>> 205.254.211.179 >>> >>> For the traffic that is generated in the LAN behind the box, it >>> works, but for the >>> traffic that is generated in the localhost (routing box), it does >>> not work. >>> Indeed, it cannot possibly work for the localhost with a setup like >>> this (with only >>> one external interface). As it can be seen in this document: >>> http://www.faqs.org/docs/iptables/traversingoftables.html >>> (Table 3-2. Source local host) >>> routing decision happens before the packet enters the chains of the >>> iptables >>> (the chain PREROUTING is not tranversed in this case). >>> >>> This is not a big problem (it is not so important that the traffic >>> of the routing box >>> be categorized as well), but trying to solve it, I came up with >>> another solution, >>> which seems simpler.The idea is to use something like this: >>> >>> --------------------------------------------------------------------------------- >>> >>> IPT=/sbin/iptables >>> PORT_LIST="22 53" >>> GATEWAY12.168.10.1 >>> GATEWAY22.168.100.1 >>> >>> for PORT in $PORT_LIST >>> do >>> $IPT -t nat -A POSTROUTING -o eth0 \ >>> -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 >>> done >>> >>> $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 >>> ----------------------------------------------------------------------------- >>> >>> >>> >>> I have not tested it yet but I don't see why it should not work. >> > > for PORT in $PORT_LIST > do > $IPT -t mangle -A PREROUTING -i eth_clients \ -p tcp --dport $PORT -j MARK --set-mark 0x01 > done > > $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT > --to-source $GATEWAY2 > $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 I'm sorry.... _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc