[LARTC] Multiple Gateway

[LARTC] Multiple Gateway

[hail narcissus]

I know this must have been asked MANY times, but there doesn't seem to be a 
search for the Archives.  I have read the HOW-TO docs and to be honest, it 
is extremely confusing.  I will re-read and hope to figure it out, but 
hopefully someone can help me out.

I have two connections coming into my server, on a DSL and the other a 
Cable.  Both connections go into two seperate firewalls.  One firewall is a 
Checkpoint firewall thich does static NAT to my server, the real IP is 
converted to 192.168.1.2.  The other firewall is just a WinRoute server with 
port forwarding, only have one IP, this is forwarded to 10.10.10.156.

The server is configured as:
eth0 -> 192.168.1.2 and GW 192.168.1.1  Primary SDSL Interface
eth1 -> 10.10.10.156 and GW 10.10.10.157  Secondary Cable Interface

The problem is that I want clients to connect to either connection to access 
my FTP server.  However packets are not necesarily exiting the same 
interface that they are coming in on, they always exit the GW highest in the 
routing list.  I am not sure if it is because of the NAT and port 
forwarding, but packets don't make it back to the destination unless it is 
going out the original interface.  I have verfied this by creating static 
routes and looking at the route cache.

I am only concerned about FTP traffic for eth1, which will have PASV and 
normal FTP traffic.  No other traffic will be port forwarded to this 
interface.

Possible solution, I don't understand IPROUTE2 yet so all of this is 
conceptual:

I can use IPTables to mangle all packets coming into eth1 and have them 
routed to go back out that interface.  From the HOWTo I am guessing:

1) Remove the default gateway pointing to 10.10.10.157.  This will leave all 
traffic going out 192.168.1.1
2) Mangle the packets, never done this, cut and paste out of HOWTO:
# iptables -A PREROUTING -i eth1 -t mangle -j MARK --set-mark 1
3) Then add a route for all marked packets to go out 10.10.10.157
Syntax is still very confusing to me, if this is the right approach I will 
try to figure out.  Hints are appreciated...

Does this make sense or am I looking into this at completely the wrong 
angle?

Thanks!!

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Multiple Gateway

[Whit Blauvelt]

You might look at http://www.linuxvirtualserver.org/~julian/nano.txt - you
can forget about the kernel patches and remove "proto static" where it
appears in the examples and still have a general solution for your
situation. On the other hand, you could just follow the whole thing, if
you're comfortable patching you kernel.

The January 2002 SysAdmin had a good article on a very similar setup.
(http://www.samag.com/articles/2002/0201/ - but the article's not online.)

Whit
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Multiple Gateway

[hail narcissus]

Thanks, I'll give it a shot.  Thanks.

>From: Whit Blauvelt <whit@transpect.com>
>To: hail narcissus <gene_yee@hotmail.com>
>CC: lartc@mailman.ds9a.nl
>Subject: Re: [LARTC] Multiple Gateway
>Date: Thu, 7 Feb 2002 19:35:29 -0500
>
>You might look at http://www.linuxvirtualserver.org/~julian/nano.txt - you
>can forget about the kernel patches and remove "proto static" where it
>appears in the examples and still have a general solution for your
>situation. On the other hand, you could just follow the whole thing, if
>you're comfortable patching you kernel.
>
>The January 2002 SysAdmin had a good article on a very similar setup.
>(http://www.samag.com/articles/2002/0201/ - but the article's not online.)
>
>Whit




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Multiple Gateway

[Adrian Chung]

On Thu, Feb 07, 2002 at 07:35:29PM -0500, Whit Blauvelt wrote:
[...]
> The January 2002 SysAdmin had a good article on a very similar setup.
> (http://www.samag.com/articles/2002/0201/ - but the article's not online.)

Funny you mention that.  There's no link to the article from that
page, but the article is online:

http://www.samag.com/documents/s\x1824/sam0201h/0201h.htm

The link came from another list. :)

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[toad.enfusion-group.com] up 6 days, 11:37, 10 users

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/

Re: [LARTC] Multiple Gateway

[hail narcissus]

That article in SAMag was perfect.  I setup Source IP Routing on my 2nd nic 
with just 2 lines.  All is up and running now.

Thanks.

>From: Adrian Chung <adrian@enfusion-group.com>
>To: Whit Blauvelt <whit@transpect.com>
>CC: hail narcissus <gene_yee@hotmail.com>, lartc@mailman.ds9a.nl
>Subject: Re: [LARTC] Multiple Gateway
>Date: Fri, 8 Feb 2002 10:43:50 -0500
>
>On Thu, Feb 07, 2002 at 07:35:29PM -0500, Whit Blauvelt wrote:
>[...]
> > The January 2002 SysAdmin had a good article on a very similar setup.
> > (http://www.samag.com/articles/2002/0201/ - but the article's not 
>online.)
>
>Funny you mention that.  There's no link to the article from that
>page, but the article is online:
>
>http://www.samag.com/documents/s\x1824/sam0201h/0201h.htm
>
>The link came from another list. :)
>
>--
>Adrian Chung (adrian at enfusion-group dot com)
>http://www.enfusion-group.com/~adrian
>GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
>[toad.enfusion-group.com] up 6 days, 11:37, 10 users
>
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/




_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/lartc/