From: Thomas Vander Stichele <thomas@urgent.rug.ac.be>
To: lartc@vger.kernel.org
Subject: [LARTC] Question re: multi-homed access
Date: Thu, 21 Mar 2002 17:50:15 +0000 [thread overview]
Message-ID: <marc-lartc-101673309716255@msgid-missing> (raw)
Hello,
I'm new to this list. I spent the last week reading docs and trying
various ideas, annoying my users at work in the process.
Our setup seems to be very common; I installed a firewall linux machine
(RH72 with a 2.4.17 kernel with the HTB patches applied)
This firewall has :
- eth0 as an internal LAN device, IP 192.168.1.254
- eth1 as the first external device, IP 192.168.254.253
connected to an ADSL cisco router (with int. IP 192.168.254.254)
- eth2 as the second external device
connected to a cable modem
getting it's IP information from DHCP, but according to the provider I
will always get the same address.
Now, I implemented stuff from the nano.txt document, and for outgoing
connections most things seem to work.
I set up /sbin/ifup-local to remove the default gateway route added by
dhcpcd so that after boot, the firewall machine at least works over the
ADSL connection.
Then I started writing the firewall script.
I start by applying the iptables rules for statefulness (are these
necessary ? exactly what do they do). I removed the interface
configuration commands, since that is handled by redhat.
Then I remove the default route, and add the three tables which together
implement the load balancing.
For outgoing connections, this mostly works : I can tell from traceroutes
that I get alternating outgoing gateways.
Now for the problems I'm having :
* before, when only using the ADSL as gateway, I could ssh to other boxes
on the internet without problems. With the new setup, when I ssh to one
of them (and the route goes over the second interface), the connection
hangs at the moment ssh starts up the X port forwarding. I suppose this
is because (IIRC) ssh tries to set up a connection from that box to my
current machine, which somehow fails. If the route happens to go over the
first interface, everything is ok.
* When trying to access the firewall from the outside, connections only
get established when coming in over the ADSL interface. When coming in
over the cable interface, the connection hangs, indicating the route back
is failing. This seems to me like another symptom of the same problem as
the other.
So here is a set of questions ;) You knew this was coming ...
a) nano.txt only mentions outgoing connections. Does this document apply
to incoming connections as well or not ? Should it work as outlined there,
should I infer different iptables and ip rules to handle incoming traffic,
or does it work in another way entirely ?
b) Since I don't have a default gateway and the gateway alternation works
on outgoing routes, I suppose that my gateway setup is correct. So the
fact that it cannot make incoming connections over eth2 is not due to eth1
being the default gateway as was the case before.
But what else could cause this behaviour ? Is it possible I might have my
SNAT/MASQUERADE set up wrong to get this effect ?
c) do I need to apply julian's patches in order for this basic setup
(incoming traffic on both interfaces) to work ? It is my understanding
from browsing through the archive that, for this basic functionality, it's
not necessary. I will of course apply these patches later on to have
gateway failure detection, but my question is if applying these patches
now or not will have any effect on my current setup.
Here is a list of output of various commands :
[root@columbus root]# ip rule
0: from all lookup local
50: from all lookup main
201: from 192.168.254.0/24 lookup 201
202: from 62.205.66.0/23 lookup 202
222: from all lookup 222
32766: from all lookup main
32767: from all lookup 253
[root@columbus root]# ip route list table main
192.168.4.0/24 dev eth0 proto kernel scope link src 192.168.4.254
192.168.1.0/24 dev eth0 scope link
192.168.254.0/24 dev eth1 proto kernel scope link src 192.168.254.253
62.205.66.0/23 dev eth2 proto kernel scope link src 62.205.66.243
127.0.0.0/8 dev lo scope link
(I have to note here that using redhat's network configuration initialized
the 192.168.254.0/24 to be "scope link" only, so no proto kernel and no
src addresss. I thought that this might have been wrong so I changed it
manually but it had no effect as far as I could tell)
[root@columbus root]# ip route list table 201
default via 192.168.254.254 dev eth1 proto static src 192.168.254.253
prohibit default proto static metric 1
[root@columbus root]# ip route list table 202
default via 62.205.67.254 dev eth2 proto static src 62.205.66.243
prohibit default proto static metric 1
default proto static
nexthop via 192.168.254.254 dev eth1 weight 1
nexthop via 62.205.67.254 dev eth2 weight 1
[root@columbus root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain keep_state (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
RETURN all -- anywhere anywhere
[root@columbus root]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
keep_state all -- anywhere anywhere
Chain keep_state (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
RETURN all -- anywhere anywhere
I hope this is enough information to help me debug the situation. Any
help is MUCH appreciated.
Thanks in advance,
Thomas
--
The Dave/Dina Project : future TV today ! - http://davedina.apestaart.org/
<-*- -*->
I should dress you up in pearl
Finest silk to touch your skin
Don't know how to write a love song
But don't leave
<-*- thomas@apestaart.org -*->
URGent, the best radio on the Internet - 24/7 ! - http://urgent.rug.ac.be/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next reply other threads:[~2002-03-21 17:50 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-03-21 17:50 Thomas Vander Stichele [this message]
2002-03-21 21:35 ` [LARTC] Question re: multi-homed access Julian Anastasov
2002-03-21 23:02 ` Thomas Vander Stichele
2002-03-21 23:55 ` Julian Anastasov
2002-03-22 9:58 ` Thomas Vander Stichele
2002-03-22 10:34 ` Julian Anastasov
2002-03-22 17:15 ` Thomas Vander Stichele
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-101673309716255@msgid-missing \
--to=thomas@urgent.rug.ac.be \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.