From: Dashamir Hoxha <dasho@ma-isp.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Two outbound internet links, using one network interface
Date: Sat, 14 Oct 2006 09:29:31 +0000 [thread overview]
Message-ID: <4530ADFB.6010202@ma-isp.com> (raw)
In-Reply-To: <45266C57.4010106@ma-isp.com>
Dashamir Hoxha wrote:
> Pio Mendez wrote:
>>
>>
>>
>> >Pio Mendez wrote:
>> >>PREROUTING chain is not traversed by local traffic, but OUTPUT
>> >>chain does.
>> >
>> >I think that OUTPUT is traversed after routing decision is
>> taken, so
>> >it is still the same problem.
>>
>>
>> I'm using OUTPUT chain in production environment to balance squid
>> box traffic between 2 ISP, so I'm sure that you can reroute output
>> packets using mangle OUTPUT chain.
>>
>> After traversing mangle and nat OUTPUT chains there is another
>> routing process. Please check this diagram:
>>
>> http://www.imagestream.com/~josh/PacketFlow.png
>> <http://www.imagestream.com/%7Ejosh/PacketFlow.png>
>>
> Pio Mendez is right. I have just tested it and it works.
If I use:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
instead of:
iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT
--to-source $IP2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
it seems not to work. So, maybe I didn't test it properly and actualy
it doesn't work. Anyway, it is not so important.
Dashamir
> Now the script becomes something like this:
>
> -------------8<----------------------------------
> ip link set eth0 up
> ip address flush eth0
> ip address add $IP1 dev eth0
> ip address add $IP2 dev eth0
>
> route add to default via $GATEWAY1
>
> ip route flush table 2
> ip route show table main | grep -Ev ^default \
> | while read ROUTE ; do ip route add table 2 $ROUTE ; done
> ip route add table 2 default via $GATEWAY2
>
> ip rule del fwmark 2 table 2 2>/dev/null
> ip rule add fwmark 2 table 2
>
> iptables -t mangle -N MARK-RULES
> iptables -t mangle -A PREROUTING -j MARK-RULES
> iptables -t mangle -A OUTPUT -j MARK-RULES
>
> PORT_LIST="22 53"
> for PORT in $PORT_LIST
> do
> iptables -t mangle -A MARK-RULES -m tcp -p tcp -dport $PORT -j MARK
> --set-mark 0x2
> done
>
> iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT
> --to-source $IP2
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
> ------------8<---------------------------------
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
prev parent reply other threads:[~2006-10-14 9:29 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-06 14:46 [LARTC] Two outbound internet links, using one network interface Dashamir Hoxha
2006-10-08 10:14 ` Zoilo Gomez
2006-10-11 6:37 ` Dashamir Hoxha
2006-10-11 11:05 ` Radu Oprisan
2006-10-11 11:17 ` Radu Oprisan
2006-10-11 12:29 ` Dashamir Hoxha
2006-10-11 12:38 ` Dashamir Hoxha
2006-10-11 13:36 ` Alexandru Dragoi
2006-10-11 16:31 ` Pio Mendez
2006-10-12 13:02 ` Pio Mendez
2006-10-13 6:49 ` Dashamir Hoxha
2006-10-13 7:01 ` Dashamir Hoxha
2006-10-14 9:29 ` Dashamir Hoxha [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4530ADFB.6010202@ma-isp.com \
--to=dasho@ma-isp.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.