From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Roni Reicher" Date: Thu, 13 Jun 2002 14:43:44 +0000 Subject: [LARTC] ADVANCED ROUTING USING IPROUTE2 -> Multiple Firewalls MIME-Version: 1 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C212E8.B806861F" Message-Id: List-Id: To: lartc@vger.kernel.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C212E8.B806861F Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi guys. I really need some help. =20 This is my scenario: =20 =20 =20 CLIENTS -> SWITCH -> W2K Server -> Linux -> Internet (with 2 ADSL LINES) =20 =20 My RedHat Linux 7.2 is just a firewall. Im running all the services (www, mail, etc.) on my W2K. =20 I tried to set up a load balance, but im getting the following problem. =20 When I connect from the internet through my IP1 (ADSL 1) on any port that I redirect to W2K, I can connect perfectly to my W2K, but when I connect using my IP2 (ADSL2) I cant get to W2K. =20 And vice versa. =20 With the telnet server, which is running on the linux, I can connect using both IP's.=20 =20 I guess the problem is when the W2K uses the other gw. =20 My W2K default gw is the linux. =20 This is my setup: =20 =20 W2K IP -> 10.0.0.1=20 W2K IP2 -> 192.168.1.2 =20 Linux eth0 -> xxx.xxx.xxx.170 (ADSL1) Linux eth0 gw -> xxx.xxx.xxx.129 =20 Linux eth1 -> 192.168.1.1 =20 Linux eth2 -> yyy.yyy.yyy.205 (ADSL2) Linux eth2 gw -> yyy.yyy.yyy.193 =20 =20 IPTABLES (just the basic). =20 $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -p icmp -j ACCEPT =20 $IPTABLES -A FORWARD -o eth0 -j ACCEPT $IPTABLES -A FORWARD -o eth2 -j ACCEPT =20 ##################### SMTP SERVER ################# $IPTABLES -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.170 --dport 25 -j DNAT --to-destination 192.168.1.2 $IPTABLES -t nat -A PREROUTING -p tcp -d yyy.yyy.yyy.205 --dport 25 -j DNAT --to-destination 192.168.1.2 ##################### HTTP SERVER ################## $IPTABLES -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.170 --dport 80 -j DNAT --to-destination 192.168.1.2 $IPTABLES -t nat -A PREROUTING -p tcp -d yyy.yyy.yyy.205 --dport 80 -j DNAT --to-destination 192.168.1.2 =20 $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -o eth2 -j MASQUERADE =20 =20 =20 And this is my load balancing script: =20 =20 #### Variables ###### =20 IP=3D/sbin/ip =20 IF1=3Deth0 IP1=3Dxxx.xxx.xxx.170 P1=3Dxxx.xxx.xxx.129 P1_NET=3Dxxx.xxx.xxx.128/26 =20 IF2=3Deth2 IP2=3Dyyy.yyy.yyy.205 P2=3D yyy.yyy.yyy.193 P2_NET=3D yyy.yyy.yyy.192/26 =20 echo 201 t1 >> /etc/iproute2/rt_tables echo 202 t2 >> /etc/iproute2/rt_tables =20 =20 $IP route add $P1_NET dev $IF1 src $IP1 table t1 $IP route add default via $P1 table t1 $IP route add $P2_NET dev $IF2 src $IP2 table t2=20 $IP route add default via $P2 table t2 =20 $IP route add $P1_NET dev $IF1 src $IP1 $IP route add $P2_NET dev $IF2 src $IP2 =20 $IP route add default via $P1 =20 $IP rule add from $IP1 table t1 $IP rule add from $IP2 table t2 =20 $IP route add default scope global nexthop via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1 =20 =20 =20 I really need help. =20 I appreciate it, =20 Ron Reicher ronysrei@uol.com.br ------_=_NextPart_001_01C212E8.B806861F Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi guys. I really need some = help.

 

This is my scenario:

 

 

 

CLIENTS -> SWITCH -> W2K Server -> = Linux -> Internet (with 2 ADSL LINES)

 

 

My RedHat Linux 7.2 is just a firewall. Im = running all the services (www, mail, etc.) on my W2K.

 

I tried to set up a load balance, but im = getting the following problem.

 

When I connect from the internet through my = IP1 (ADSL 1) on any port that I redirect to W2K, I can connect perfectly to my = W2K, but when I connect using my IP2 (ADSL2) I cant get to W2K.

 

And vice versa.

 

With the telnet server, which is running on = the linux, I can connect using both IP’s.

 

I guess the problem is when the W2K uses the = other gw.

 

My W2K default gw is the = linux.

 

This is my setup:

 

 

W2K IP   -> 10.0.0.1 =

W2K IP2 -> 192.168.1.2

 

Linux eth0     =   -> xxx.xxx.xxx.170 (ADSL1)

Linux eth0 gw ->  = xxx.xxx.xxx.129

 

Linux eth1       = -> 192.168.1.1

 

Linux eth2       = -> yyy.yyy.yyy.205 (ADSL2)

Linux eth2 gw  -> = yyy.yyy.yyy.193

 

 

IPTABLES (just the basic).

 

$IPTABLES -A INPUT -i = lo       -j ACCEPT

$IPTABLES -A INPUT -p icmp -j = ACCEPT

 

$IPTABLES -A FORWARD -o eth0 -j = ACCEPT

$IPTABLES -A FORWARD -o eth2 -j = ACCEPT

 

##################### SMTP SERVER = #################

 $IPTABLES -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.170 --dport 25    -j DNAT --to-destination = 192.168.1.2

 $IPTABLES -t nat -A PREROUTING -p tcp -d yyy.yyy.yyy.205  --dport 25    -j DNAT = --to-destination 192.168.1.2

##################### HTTP SERVER = ##################

 $IPTABLES -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.170 --dport 80    -j DNAT --to-destination = 192.168.1.2

 $IPTABLES -t nat -A PREROUTING -p tcp -d yyy.yyy.yyy.205 --dport 80    -j DNAT --to-destination = 192.168.1.2

 

 $IPTABLES -t nat -A POSTROUTING -s = 192.168.1.0/24 -j MASQUERADE

 $IPTABLES -t nat -A POSTROUTING -s = 10.0.0.0/24    -j MASQUERADE

 $IPTABLES -t nat -A POSTROUTING -o = eth0           -j MASQUERADE

 $IPTABLES -t nat -A POSTROUTING -o = eth2           -j MASQUERADE

 

 

 

And this is my load balancing = script:

 

 

#### Variables ######

 

IP=3D/sbin/ip

 

IF1=3Deth0

IP1=3Dxxx.xxx.xxx.170

P1=3Dxxx.xxx.xxx.129

P1_NET=3Dxxx.xxx.xxx.128/26

 

IF2=3Deth2

IP2=3Dyyy.yyy.yyy.205

P2=3D yyy.yyy.yyy.193

P2_NET=3D = yyy.yyy.yyy.192/26

 

echo 201  t1 >> = /etc/iproute2/rt_tables

echo 202  t2 >> = /etc/iproute2/rt_tables

 

 

$IP route add $P1_NET dev $IF1 src $IP1 table = t1

$IP route add default via $P1 table = t1

$IP route add $P2_NET dev $IF2 src $IP2 table = t2

$IP route add default via $P2 table = t2

 

$IP route add $P1_NET dev $IF1 src = $IP1

$IP route add $P2_NET dev $IF2 src = $IP2

 

$IP route add default via = $P1

 

$IP rule add from $IP1 table = t1

$IP rule add from $IP2 table = t2

 

$IP route add default scope global nexthop = via $P1 dev $IF1 weight 1 nexthop via $P2 dev $IF2 weight 1

 

 

 

I really need help.

 

I appreciate it,

 

Ron Reicher

ronysrei@uol.com.br

------_=_NextPart_001_01C212E8.B806861F-- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/