RE: [LARTC] Help: Multiple internet connections

From: "David H. Lynch Jr." <dhlii@1dla.com>
To: lartc@vger.kernel.org
Subject: RE: [LARTC] Help: Multiple internet connections
Date: Fri, 27 Sep 2002 06:54:24 +0000	[thread overview]
Message-ID: <marc-lartc-103310980129850@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103299298425932@msgid-missing>

>-----Original Message-----
>From: Arthur van Leeuwen [mailto:arthurvl@sci.kun.nl] 
>Sent: Thursday, September 26, 2002 5:28 AM
>To: David H. Lynch Jr.
>Cc: 'lartc Mailing List'
>Subject: Re: [LARTC] Help: Multiple internet connections

>>     However I have problems with the servers/services that are being 
>> DNATed to behind the firewall.

>Not so good.

>[snip]

>> 	It is my guess that the inbound packet manages its way to my
server 
>> just fine, but on the return trip it decides to head back out the 
>> cable modem as that is the best route back to the client, and since 
>> the client sees a response coming from the wrong source it discards 
>> it, but I could easily be wrong.

>No, you are most probably right. Unfortunately, there is no real
solution to your problem, for as soon as the packet has 
>ben DNATed to the service behind the firewall you lose all information
as to which route the packet took to get to 
>your firewall. This means that any return packet can only take the
`obvious' short route directly to the remote machine, 
>and not the less-obvious route the long way round but with the correct
source address.

>> 	I believe I am only having problems with DNATed services behind
the 
>> firewall, and I believe it is only when the client is local to the 
>> external interface opposite the one they are coming in on. But I
could 
>> easily be wrong. regardless the problem is most ly reproducible - 
>> though it has been know to go away for days at a time on its own, and

>> mostly limited to a small subset of all clients.

>Sounds as if there's routes flapping for a subset of your clients.

>I can see only one real solution: have some sort of application-level
proxies run on your firewall host to plug the 
>connections through to the services behind it. One way to do so would
be to use socks in listening mode. 
>Another would be to use netcat...

>Doei, Arthur.

Trying to grok the interrelations between IPTABLES and routing has given
me a headache. I guess I am not as sharp as I used to be.  I am also
having a hard time getting a complete handle on what "stateful" really
means.  But I am gathering that this is a routing problem caused as a
side effect of DNATing a connection. If IPTABLES is "stateful" does that
mean that if I MARK a packet that the return packet is also marked ? If
that were the case I could mark the Inbound packets from one interface
and use iproute to select the right routing table for the return
packets. Alternatively, if I set the servers behind the firewall up with
two IP's and DNATed to a different one depending on the incoming
interface shouldn't I be able to chose an outgoing routing table based
on the source IP of the return packet ? Finally what is a flapping route
? This problem would make allot more sense to me if it were consistent.

	Thank you. Just having a second opinion that I am on the right
track helps allot.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/