Re: Iptables NAT with two external Interfaces

["Ellad G. Yatsko" <eyatsko@ngs.ru>]

Is anybody here? Does anybody hear me? :-) Did I break some rules if 
nobody answered,
or was my question (or English) very difficult for understanding?  
Excuse me please if I wrong!

Kind regards,
Ellad

> Hello!
>
> May you help me in one very specific issue?
>
> - I have Ubuntu router with several interfaces with Quagga/BGP working 
> on it, and of course IPTables with NAT for internal users;
>
> - One interface is used to connect to ISP, it has ISP's IP-address. 
> For definiteness it is 89.222.233.165. Ubuntu connects to ISP's 
> network via this IP;
>
> - Another interface - DMZ with own IP-address (delegated by RIPE NCC) 
> of own Autonomous System: 91.223.181.1;
>
> - DMZ is terminated on Cisco 2821 (one subinterface 91.223.181.2)  
> which is connected to second ISP (via second subinterface with IP from 
> second ISP: 188.35.132.79).
>
> - There is specific routing: each of my "borders" marks a part of 
> prefixes received from corresponding ISP by higher LocalPref: Ubuntu 
> marks prefixes 0.0.0.0-127.0.0.0, and Cisco marks prefixes 128.0.0.0 
> up to 224.0.0.0.
> That is if destination IP is more than 128.0.0.0 Ubuntu prefers to 
> send the current packet to directly connected ISP, if it is less than 
> 128.0.0.0 Ubuntu prefers  to route the packet through DMZ. It is made 
> to utilize both uplinks evenly.
> I need to explain one important detail: both of my ISPs are connected 
> to the same higher-level ISP, which uses the only ISP from the pair of 
> mine to direct incoming traffic into my AS. So there is no other 
> opportunity to make balancing except egress traffic.
>
> - Ubuntu has internal interfaces to give to its internal users access 
> to Internet. Internal users have "private" IPs which are "NATted" on 
> external Ubuntu's interfaces.
>
> - Actually the question: with probability 50% a packet from internal 
> users can be sent through one external Ubuntu's interface and reply 
> can return through another. In that case NAT is not working. Here my 
> relevant part of configuration:
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL 
> -j SNAT --to $DMZ_IP
> $IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL 
> -j SNAT --to $DMZ_IP
>
> What can I do except:
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL 
> -j SNAT --to $EXT_IP
> $IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL 
> -j SNAT --to $DMZ_IP
>
> Difference with above two is "$EXT_IP" in the first line. In that case 
> all works fine. But I need to hide ISP's IP from External World. I 
> need to show to others my own IPs only. It's the highest priority. 
> Again, may you help me to find an answer? Are there some "secret 
> commands" for IPTables to make NAT to ignore ingress interface to 
> de-NAT replies? For example, FreeBSD's PF can do correct "back" 
> translations independently from interface where reply-packet has come 
> on. Ubuntu has changed FreeBSD on the place of central router due to 
> rank of reasons (one of them is stability), but now I have big 
> trouble! :-)
>
> He-e-e-lp!...
>
> Kind regards,
> Ellad
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>