From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dashamir Hoxha Date: Wed, 11 Oct 2006 12:29:38 +0000 Subject: Re: [LARTC] Two outbound internet links, using one network interface Message-Id: <452CE3B2.6040900@ma-isp.com> List-Id: References: <45266C57.4010106@ma-isp.com> In-Reply-To: <45266C57.4010106@ma-isp.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Radu Oprisan wrote: > Radu Oprisan wrote: >> Dashamir Hoxha wrote: >>> Dashamir Hoxha wrote: >>>> Hi, >>>> >>>> I am trying to categorize the network traffic and to send it out >>>> across two different providers. >>>> For this I mark the packets in the firewall (in the PREROUTING >>>> chain of table mangle), >>>> and then use another routing table for the marked packets, which >>>> has a different gateway >>>> from the main routing table. Basicaly I am following the cookbook >>>> example in this page: >>>> http://linux-ip.net/html/adv-multi-internet.html >>>> with some small changes and modifications. >>>> >>>> The most important difference is that I am trying to use just one >>>> external network interface, >>>> which is connected through a hub/switch to both of the ISP links. >>>> I add two different IPs >>>> to this interface, corresponding to each providers network. Then >>>> the masquerading is done >>>> with a rule like this: >>>> >>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of: >>>> >>>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source >>>> 67.17.28.12 >>>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source >>>> 205.254.211.179 >>>> >>>> For the traffic that is generated in the LAN behind the box, it >>>> works, but for the >>>> traffic that is generated in the localhost (routing box), it does >>>> not work. >>>> Indeed, it cannot possibly work for the localhost with a setup like >>>> this (with only >>>> one external interface). As it can be seen in this document: >>>> http://www.faqs.org/docs/iptables/traversingoftables.html >>>> (Table 3-2. Source local host) >>>> routing decision happens before the packet enters the chains of the >>>> iptables >>>> (the chain PREROUTING is not tranversed in this case). >>>> >>>> This is not a big problem (it is not so important that the traffic >>>> of the routing box >>>> be categorized as well), but trying to solve it, I came up with >>>> another solution, >>>> which seems simpler.The idea is to use something like this: >>>> >>>> --------------------------------------------------------------------------------- >>>> >>>> IPT=/sbin/iptables >>>> PORT_LIST="22 53" >>>> GATEWAY12.168.10.1 >>>> GATEWAY22.168.100.1 >>>> >>>> for PORT in $PORT_LIST >>>> do >>>> $IPT -t nat -A POSTROUTING -o eth0 \ >>>> -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2 >>>> done >>>> >>>> $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 >>>> ----------------------------------------------------------------------------- >>>> >>>> >>>> >>>> I have not tested it yet but I don't see why it should not work. >>> >> >> for PORT in $PORT_LIST >> do >> > $IPT -t mangle -A PREROUTING -i eth_clients \ > -p tcp --dport $PORT -j MARK --set-mark 0x01 >> done >> >> $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT >> --to-source $GATEWAY2 >> $IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1 > I'm sorry.... Ok, it may work like this, I have to try it. By the way, instead of $GATEWAY1 and $GATEWAY2 above, $IP1 and $IP2 must be used instead; it was a mistake. _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc