Re: [LARTC] routing to two interfaces

From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] routing to two interfaces
Date: Wed, 20 Nov 2002 23:45:29 +0000	[thread overview]
Message-ID: <marc-lartc-103783599912967@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103783300809624@msgid-missing>

Rob,

There's a problem with your solution!

fwmark; transient
- - - - - - - - - - - 
The structure of the packet as it passes through the firewall/router 
contains the fwmark.  As soon as the packet leaves the box, it no longer 
has the fwmark.

Your solution handles the packets inbound from the outside world, but 
neglects to handle the outbound packets from the internal network.

SNAT; sets the correct source IP (for outbound connections)
- - - - - - - - - - - - - - - -
Even if using SNATs as you suggest, there is still has no way to tell if a
packet belongs to a session inbound over eth1 or eth2.  This is the
statelessness of IP routing!

scenarios
- - - - - - - - - - -
For example, maybe Paco has an RFC1918 addressed server which s/he wants
to make available on two different public IPs.  This requires one
solution.  (inbound problem; SNAT can't help; DNAT maybe)

Perhaps Paco wants to send some traffic out one link, and some out the
other link--yet another solution.  (generic policy routing)

Finally, a link load sharing split access solution is different yet. 
(multipath route)

In order to make any recommendation, we would need to know what the IP 
address ranges are and specifically why/how Paco envisions using these 
two links.

-Martin

 : i missed the nat rule though:
 :
 : $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o $ETH1 -j SNAT \
 :       --to-source $ETH1_GATEWAY_IP
 : $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o $ETH2 -j SNAT \
 :       --to-source $ETH2_GATEWAY_IP 
 :
 : try out following:
 : it's just an idea and i didn't try it out
 : 
 : # delete tables 2 and 3 to avoid duplicates
 : # add for each table the gateway to use
 : $IP route del table 2
 : $IP route add table 2 via $ETH1_GATEWAY_IP dev eth1
 : $IP route del table 3
 : $IP route add table 3 via $ETH2_GATEWAY_IP dev eth2 
 : 
 : # mark each packet regarding to its incomming device
 : $IPTABLES -t mangle -A INPUT -i eth1 -j MARK --set-mark 2
 : $IPTABLES -t mangle -A INPUT -i eth2 -j MARK --set-mark 3
 : 
 : # delete to avoid duplicates
 : # lookup the right table regarding to packets fwmark setting
 : # flush the routing cache
 : $IP rule del fwmark 2 table 2
 : $IP rule del fwmark 3 table 3
 : $IP rule add fwmark 2 table 2
 : $IP rule add fwmark 3 table 3
 : $IP route flush cache
 : 
 : 
 : --
 : rob
 : _______________________________________________
 : LARTC mailing list / LARTC@mailman.ds9a.nl
 : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
 : 

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/