Re: [LARTC] ADVANCED ROUTING USING IPROUTE2 -> Multiple Firewalls

From: "William L. Thomson Jr." <support@obsidian-studios.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] ADVANCED ROUTING USING IPROUTE2 -> Multiple Firewalls
Date: Sat, 29 Jun 2002 18:08:53 +0000	[thread overview]
Message-ID: <marc-lartc-102537537807030@msgid-missing> (raw)
In-Reply-To: <marc-lartc-102397943817504@msgid-missing>

On Sat, 2002-06-29 at 09:13, Roni Reicher wrote:
> I installed the kernel 2.4.19pre10 with all the patches and compiled it
> with the equalcost multipath, but Im still having some troubles...

When you say patches I assume you mean Julian's route patch.
http://www.linuxvirtualserver.org/~julian/#routes

> Could anyone check these scrips to see if there is something wrong?

I will do my best.

> I appreciate it,

No problem just doing my part to give back.

> Eth0 (local) -> 192.168.1.1 connected to my W2k Server on 192.168.1.2
> Eth1 (ADSL 1 256k) -> xxx.xxx.xxx.170 gw xxx.xxx.xxx.129
> Eth2 (ADSL 2 512k) -> yyy.yyy.yyy.205 gw yyy.yyy.yyy.193
> 
> My W2K is hosting all the services, and the clients are behind it.

If I could take this moment to say shame on you. You should be hosting
those services on a Linux box, but that may be out of your control. So
be it, at least you are doing the right thing by putting a Linux
router/firewall in front of the w2k server. As it will need to be
protected, like anything else.

> This is my IPTABLES SCRIPT.

This I really will not discuss here. Sorry but this type of things is a
netfilter mailing list issue.

With that said you must do NAT in the Linux box for load balancing to
work. You will most likely use either Destination NAT or Port AT.
So long as some sort of NAT is in the linux box, with either of the
above you should not need source but you might. 

> 
> IPTABLES=/sbin/iptables
> 
> 
> $IPTABLES -F INPUT
> $IPTABLES -F FORWARD
> $IPTABLES -F OUTPUT
> $IPTABLES -t nat -F PREROUTING
> $IPTABLES -t nat -F POSTROUTING
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -t nat -P PREROUTING   ACCEPT
> $IPTABLES -t nat -P POSTROUTING  ACCEPT
> $IPTABLES -t nat -P OUTPUT       ACCEPT
> 
> 
> $IPTABLES -A INPUT -p tcp -s 10.0.0.0/255.255.255.0  --dport 23 -j
> ACCEPT
> 
> $IPTABLES -A INPUT -i lo   -j ACCEPT
> $IPTABLES -A INPUT -p icmp -j ACCEPT
> 
> #############################################
> 
> $IPTABLES -A FORWARD -o eth2 -j ACCEPT
> $IPTABLES -A FORWARD -o eth1 -j ACCEPT
> 
> $IPTABLES -A FORWARD -p tcp ! --syn -d 192.168.1.0/255.255.255.0 -j
> ACCEPT
> 
> ##################################
> 
> $IPTABLES -A FORWARD -i eth1  -o eth0 -j ACCEPT
> $IPTABLES -A FORWARD -i eth2  -o eth0 -j ACCEPT
> $IPTABLES -A FORWARD -i eth0  -o eth1 -j ACCEPT
> $IPTABLES -A FORWARD -i eth0  -o eth2 -j ACCEPT
> 
> ###########################################
> 
>  $IPTABLES -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.170 --dport 25
> -j DNAT --to-destination 192.168.1.2
> 
>  $IPTABLES -t nat -A PREROUTING -p tcp -d yyy.yyy.yyy.205  --dport 25
> -j DNAT --to-destination 192.168.1.2
> 
> ###########################################
>  $IPTABLES -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.170 --dport 80
> -j DNAT --to-destination 192.168.1.2
> 
> 
>  $IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
>  $IPTABLES -t nat -A POSTROUTING -s 10.0.0.0/24    -j MASQUERADE
>  $IPTABLES -t nat -A POSTROUTING -o eth1           -j MASQUERADE
>  $IPTABLES -t nat -A POSTROUTING -o eth2           -j MASQUERADE
> 
> 
> 
> 
> And this is my Load Balancing Script:

From looking below, I am not going to even try to comment. Why have you
deviated so far from the Nano-how-to? If you have the patches applied
then you problems are coming from below. Now once you have the your load
balancing script looking more like the nano-how-to and are still having
problems. It's mostly an NAT issue at that point. But I can't emphasize
enough that you must stick to the nano-how-to.

> IP=/sbin/ip
> 
> 
> IF1=eth1
> IP1=xxx.xxx.xxx.170
> P1=xxx.xxx.xxx.129
> P1_NET=xxx.xxx.xxx.128/26
> 
> IF2=eth2
> IP2=yyy.yyy.yyy.200.168.71.205
> P2= yyy.yyy.yyy.193
> P2_NET= yyy.yyy.yyy.192/26
> 
> ###################################
> 
> echo 201  T1 >> /etc/iproute2/rt_tables
> echo 202  T2 >> /etc/iproute2/rt_tables
> 
> $ROUTE del default
> 
> $IP route add $P1_NET dev $IF1 src $IP1 table T1
> $IP route add default via $P1 table T1
> $IP route add $P2_NET dev $IF2 src $IP2 table T2 
> $IP route add default via $P2 table T2
> 
> $IP route add $P1_NET dev $IF1 src $IP1
> $IP route add $P2_NET dev $IF2 src $IP2
> 
> #########################################
> 
> $IP route add default via $P2
> 
> ######################################################
> 
> $IP rule add from $IP1 table T1
> $IP rule add from $IP2 table T2
> 
> #############################
> 
> $IP route add default scope global nexthop via $P2 dev $IF2 weight 1
> nexthop via $P1 dev $IF1 weight 1
> 
> ######################################################

So adjust this script to look more like the nano-how-to and let me know how it goes.

-- 
Sincerely,
William L. Thomson Jr.
Obsidian-Studios, Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone  707.766.9509
Fax    707.766.8989
http://www.obsidian-studios.com
-- 
Sincerely,
William L. Thomson Jr.
Support Group
Obsidian-Studios Inc.
439 Amber Way
Petaluma, Ca. 94952
Phone  707.766.9509
Fax    707.766.8989
http://www.obsidian-studios.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/