[LARTC] 3 nic -s, 1 lan, 2 internet connections, ip based routing and

[LARTC] 3 nic -s, 1 lan, 2 internet connections, ip based routing and

[Sysadmin]

[-- Attachment #1: Type: text/plain, Size: 2007 bytes --]


Hello.

I have problem to solve, redhat 6.3 based linux router, 3 network cards,
eth1, 192.168.10.1 connected to switch, eth0 213.180.9.x connected to
one adsl bridge and eth0 213.34.9.x connected to another adsl bridge.

Group one ---|         |                                  | eth0 213.180.9.x
                   | HUB  | --- eth1 192.168.30.1 |
Group two ---|    |                               | eth2 213.34.9.x


So one internal subnet, users from group one 
(192.168.10.2,  192.168.10.3,  192.168.10.4,  192.168.10.5) are allowed use 
eth0 and users from group two 192.168.10.10,  192.168.10.11,
192.168.10.12,  192.168.10.13 are allowed to use eth2 for internet 
connection, no load balancing etc is needed, the idea is just one router 
for two separate companies. So i made iptables nat rules:

$IPTABLES -A POSTROUTING -t nat -o eth0 -s 192.168.30.2 -j SNAT --to-source 
213.180.9.x
$IPTABLES -A POSTROUTING -t nat -o eth0 -s 192.168.30.3 -j SNAT --to-source 
213.180.9.x
$IPTABLES -A POSTROUTING -t nat -o eth0 -s 192.168.30.4 -j SNAT --to-source 
213.180.9.x
$IPTABLES -A POSTROUTING -t nat -o eth0 -s 192.168.30.5 -j SNAT --to-source 
213.180.9.x

$IPTABLES -A POSTROUTING -t nat -o eth2 -s 192.168.30.10 -j SNAT 
--to-source 213.34.9.x
$IPTABLES -A POSTROUTING -t nat -o eth2 -s 192.168.30.11 -j SNAT 
--to-source 213.34.9.x
$IPTABLES -A POSTROUTING -t nat -o eth2 -s 192.168.30.12 -j SNAT 
--to-source 213.34.9.x
$IPTABLES -A POSTROUTING -t nat -o eth2 -s 192.168.30.13 -j SNAT 
--to-source 213.34.9.x

But now i have routing problems, as both internet connections are
default route and i can use only one settings in /etc/syscondig/network:

GATEWAY="213.180.9.x"
GATEWAYDEV="eth0"

Then i found http://lartc.org/howto/lartc.rpdb.multiple-links.html but 
seems this is not 100% what i need, as there is no internal network 
interface included and routing is possible to network, not ip based.

Is it possible to get it work at all, and if so, then how?



--

Mart Pirita
--

Mart Pirita 

[-- Attachment #2: Type: text/html, Size: 2833 bytes --]

Re: [LARTC] 3 nic -s, 1 lan, 2 internet connections, ip based routing

[Martin A. Brown]

 : I have problem to solve, redhat 6.3 based linux router, 3 network cards,
 : eth1, 192.168.10.1 connected to switch, eth0 213.180.9.x connected to
 : one adsl bridge and eth0 213.34.9.x connected to another adsl bridge.

Hm!  Never heard of RH6.3 before.  Probably the successor to RH9.

<snipped>

 : So one internal subnet, users from group one
 : (192.168.10.2,  192.168.10.3,  192.168.10.4,  192.168.10.5) are allowed use
 : eth0 and users from group two 192.168.10.10,  192.168.10.11,
 : 192.168.10.12,  192.168.10.13 are allowed to use eth2 for internet
 : connection, no load balancing etc is needed, the idea is just one router
 : for two separate companies. So i made iptables nat rules:

You need to take advantage of the RPDB.  In particular, you may find this
documentation helpful:

  http://linux-ip.net/html/adv-multi-internet.html
  http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-outbound

For some background on route selection:

  http://linux-ip.net/html/routing-selection.html
  http://linux-ip.net/html/routing-selection.html#routing-selection-adv

Note, that routing and iptables must be synchronized in order for you to
attain the desired result.

If your default route in table main is through 213.34.9.x, then here's a
teaser (you'll need to tweak it a bit to get things right):

# echo 5 link213180 >> /etc/iproute2/rt_tables
# ip rule add from 192.168.30.2 table link213180
  ...
# ip rule add from 192.168.30.5 table link213180
# ip route show table main \
>   | while read ROUTE ; do
>     ip route add table link213180 $ROUTE
> done
# ip route change table link213180 default via 213.180.9.x

 : Then i found http://lartc.org/howto/lartc.rpdb.multiple-links.html but
 : seems this is not 100% what i need, as there is no internal network
 : interface included and routing is possible to network, not ip based.
 : Is it possible to get it work at all, and if so, then how?

Good luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] 3 nic -s, 1 lan, 2 internet connections, ip based

[Sysadmin]

[-- Attachment #1: Type: text/plain, Size: 1660 bytes --]

Hello

>Hm!  Never heard of RH6.3 before.  Probably the successor to RH9.

Sorry, typo, RH6.2, with 2.4.20 kernel&iptables, basically old distro with 
all new goods included:)


>You need to take advantage of the RPDB.  In particular, you may find this
>documentation helpful:
>
>   http://linux-ip.net/html/adv-multi-internet.html
> 
>http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-outbound
>
>For some background on route selection:
>
>   http://linux-ip.net/html/routing-selection.html
>   http://linux-ip.net/html/routing-selection.html#routing-selection-adv

Seems there is examples for

Using Multiple Connections to the Internet for Inbound and Outbound 
Connections and for Outbound traffic Using Multiple Connections to the 
Internet and seems i need the second one, and this is almost not 
documented, or maybe i just didn't find examples.


>Note, that routing and iptables must be synchronized in order for you to
>attain the desired result.

Synchronized? What You mean?


>If your default route in table main is through 213.34.9.x, then here's a
>teaser (you'll need to tweak it a bit to get things right):
>
># echo 5 link213180 >> /etc/iproute2/rt_tables
># ip rule add from 192.168.30.2 table link213180
>   ...
># ip rule add from 192.168.30.5 table link213180
># ip route show table main \
> >   | while read ROUTE ; do
> >     ip route add table link213180 $ROUTE
> > done
># ip route change table link213180 default via 213.180.9.x

Do i need to use MARK in iptables rules? And can i use iptables route patch 
http://www.netfilter.org/documentation/pomlist/pom-extra.html#ROUTE ?.





--

Mart Pirita
--

Mart Pirita 

[-- Attachment #2: Type: text/html, Size: 2616 bytes --]

Re: [LARTC] 3 nic -s, 1 lan, 2 internet connections, ip based

[Martin A. Brown]

Hey, Mart:  Please do not post HTML messages.  This is common
            etiquette on mailing lists.  Thank you.

 : Using Multiple Connections to the Internet for Inbound and Outbound
 : Connections and for Outbound traffic Using Multiple Connections to the
 : Internet and seems i need the second one, and this is almost not
 : documented, or maybe i just didn't find examples.

If you read through the outbound traffic section, and digest it, I imagine
that you will see the solution.

 : >Note, that routing and iptables must be synchronized in order for you to
 : >attain the desired result.
 : Synchronized? What You mean?

There are two matters you need to have aligned in order to get the desired
result:

  - routing needs to work correctly, "ip rule" and "ip route" will do this
    for you
  - iptables needs to masquerade/SNAT the IPs to the correct IP addresses

These two have to be synchronized....I'm using the word in its dictionary
definition, not as jargon.

 : Do i need to use MARK in iptables rules?

No.  You should not need this.

 : And can i use iptables route patch
 : http://www.netfilter.org/documentation/pomlist/pom-extra.html#ROUTE ?.

I don't know this patch-o-matic, but I don't believe you will need this.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] 3 nic -s, 1 lan, 2 internet connections, ip based

[Sysadmin]

Hello

>Hey, Mart:  Please do not post HTML messages.  This is common
>             etiquette on mailing lists.  Thank you.

Sorry, I usually use Netscape newsreader, but this is mail based group, so 
I did set Eudora to use plain text.

>If you read through the outbound traffic section, and digest it, I imagine
>that you will see the solution.

Good to know that its possible, so I give a try.

>There are two matters you need to have aligned in order to get the desired
>result:
>
>   - routing needs to work correctly, "ip rule" and "ip route" will do this
>     for you
>   - iptables needs to masquerade/SNAT the IPs to the correct IP addresses
>
>These two have to be synchronized....I'm using the word in its dictionary
>definition, not as jargon.

Ok, my english is not so good, thanks for explaining. Seems I understand 
the all thing wrong, I tried to make rules for both interfaces, but I need 
to let main eth0 as it is (default route) and make routing & iptables rules 
according to new eth2 interface and second group internal eth1 selected ip 
-s only.



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/