Re: [LARTC] Two outbound internet links, using one network interface

From: Dashamir Hoxha <dasho@ma-isp.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Two outbound internet links, using one network interface
Date: Wed, 11 Oct 2006 12:29:38 +0000	[thread overview]
Message-ID: <452CE3B2.6040900@ma-isp.com> (raw)
In-Reply-To: <45266C57.4010106@ma-isp.com>

Radu Oprisan wrote:
> Radu Oprisan wrote:
>> Dashamir Hoxha wrote:
>>> Dashamir Hoxha wrote:
>>>> Hi,
>>>>
>>>> I am trying to categorize the network traffic and to send it out 
>>>> across two different providers.
>>>> For this I mark the packets in the firewall (in the PREROUTING 
>>>> chain of table mangle),
>>>> and then use another routing table for the marked packets, which 
>>>> has a different gateway
>>>> from the main routing table. Basicaly I am following the cookbook 
>>>> example in this page:
>>>> http://linux-ip.net/html/adv-multi-internet.html
>>>> with some small changes and modifications.
>>>>
>>>> The most important difference is that I am trying to use just one 
>>>> external network interface,
>>>> which is connected through a hub/switch  to both of the  ISP links. 
>>>> I add two different IPs
>>>> to this interface, corresponding to each providers network. Then 
>>>> the masquerading is done
>>>> with a rule like this:
>>>>
>>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of:
>>>>
>>>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 
>>>> 67.17.28.12
>>>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
>>>> 205.254.211.179
>>>>
>>>> For the traffic that is generated in the LAN behind the box, it 
>>>> works, but for the
>>>> traffic that is generated in the localhost (routing box), it does 
>>>> not work.
>>>> Indeed, it cannot possibly work for the localhost with a setup like 
>>>> this (with only
>>>> one external interface). As it can be seen in this document:
>>>> http://www.faqs.org/docs/iptables/traversingoftables.html
>>>> (Table 3-2. Source local host)
>>>> routing decision happens before the packet enters the chains of the 
>>>> iptables
>>>> (the chain PREROUTING is not tranversed in this case).
>>>>
>>>> This is not a big problem (it is not so important that the traffic 
>>>> of the routing box
>>>> be categorized as well), but trying to solve it, I came up with 
>>>> another solution,
>>>> which seems simpler.The idea is to use something like this:
>>>>
>>>> --------------------------------------------------------------------------------- 
>>>>
>>>> IPT=/sbin/iptables
>>>> PORT_LIST="22 53"
>>>> GATEWAY1\x192.168.10.1
>>>> GATEWAY2\x192.168.100.1
>>>>
>>>> for PORT in $PORT_LIST
>>>> do
>>>>  $IPT -t nat -A POSTROUTING -o eth0 \
>>>>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
>>>> done
>>>>
>>>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
>>>> ----------------------------------------------------------------------------- 
>>>>
>>>>
>>>>
>>>> I have not tested it yet but I don't see why it should not work.
>>>
>>
>> for PORT in $PORT_LIST
>> do
>>
> $IPT -t mangle -A PREROUTING -i eth_clients \
>             -p tcp --dport $PORT -j MARK --set-mark 0x01
>> done
>>
>> $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT 
>> --to-source $GATEWAY2
>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
> I'm sorry....
Ok, it may work like this, I have to try it.
By the way, instead of $GATEWAY1 and $GATEWAY2 above, $IP1 and $IP2
must be used instead; it was a mistake.
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc