All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] port-mapping with 2 isps
@ 2003-04-23 23:17 Diego Torres
  2003-04-23 23:29 ` Martin A. Brown
  2003-04-24  0:26 ` Martin A. Brown
  0 siblings, 2 replies; 3+ messages in thread
From: Diego Torres @ 2003-04-23 23:17 UTC (permalink / raw)
  To: lartc


hello... i've got an annoying problems that makes me think that i want to do something that is impossible... :) explanation:


i've two dsl lines and a linux box as a "load balancer".

some traffic goes out by eth0 and other goes out by eth1. (i mark the packets with iptables and then have 2 route tables)

i'm currently forwarding some incoming connections (to the port 80 on eth0) to another host inside the network. this works without problems as long as eth0 is the default gateway.

trying to forward connections on eth1 port 80 with eth0 as the default gateway results in the linux box loosing the answer packet from the host inside the network.


diagram:

inet | - isp1 -- eth0\
     |                - LINUX ROUTER - eth2 - swith - "server host"
     | - isp2 -- eth1/

# ip ro sh
81.33.13.128 dev eth1  scope link  src 81.33.13.174
80.25.88.192 dev eth0  scope link  src 80.25.88.228
80.25.88.192/26 dev eth0  proto kernel  scope link  src 80.25.88.228
81.33.13.128/26 dev eth1  proto kernel  scope link  src 81.33.13.174
172.16.0.0/16 dev eth2  proto kernel  scope link  src 172.16.0.2
default via 80.25.88.193 dev eth0

because eth0 is the default gw, i can forward incoming connections on eth0 to the "server host".

can anyone help me so i can forward conections happening on both interfaces (eth0 & eth1, doesn't matter who is the default gw) ?

thanks in advance....

-- 
-- gnupg keyfingerprint -- 48AF 5BF9 8F54 2966 64CC  2327 7CD0 DD91 B09D 5799
-- Use of a keyboard or mouse may be linked to serious injuries or disorders.  
Diego Torres - dtorres@coral.dnsalias.org - Madrid / España
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [LARTC] port-mapping with 2 isps
  2003-04-23 23:17 [LARTC] port-mapping with 2 isps Diego Torres
@ 2003-04-23 23:29 ` Martin A. Brown
  2003-04-24  0:26 ` Martin A. Brown
  1 sibling, 0 replies; 3+ messages in thread
From: Martin A. Brown @ 2003-04-23 23:29 UTC (permalink / raw)
  To: lartc

Diego!

 : hello... i've got an annoying problems that makes me think that i want
 : to do something that is impossible... :) explanation:

No--not impossible.  Not trivial--but not impossible.

 : i've two dsl lines and a linux box as a "load balancer". some traffic
 : goes out by eth0 and other goes out by eth1. (i mark the packets with
 : iptables and then have 2 route tables)

 : i'm currently forwarding some incoming connections (to the port 80 on
 : eth0) to another host inside the network. this works without problems
 : as long as eth0 is the default gateway.
 :
 : trying to forward connections on eth1 port 80 with eth0 as the default
 : gateway results in the linux box loosing the answer packet from the
 : host inside the network.

Same server reachable via two public IPs.  As proven in this forum last
week, by Russell Senior, you can do this EVEN if the internal server has
a single IP.  Until last week, I was convinced that two internal IPs were
required.  That is no longer so.

See the thread which starts here:

  http://mailman.ds9a.nl/pipermail/lartc/2003q2/007952.html

And the magic happens here:

  http://mailman.ds9a.nl/pipermail/lartc/2003q2/008090.html

 : diagram:
 :
 : inet | - isp1 -- eth0\
 :      |                - LINUX ROUTER - eth2 - swith - "server host"
 :      | - isp2 -- eth1/
 :
 : # ip ro sh
 : 81.33.13.128 dev eth1  scope link  src 81.33.13.174
 : 80.25.88.192 dev eth0  scope link  src 80.25.88.228
 : 80.25.88.192/26 dev eth0  proto kernel  scope link  src 80.25.88.228
 : 81.33.13.128/26 dev eth1  proto kernel  scope link  src 81.33.13.174
 : 172.16.0.0/16 dev eth2  proto kernel  scope link  src 172.16.0.2
 : default via 80.25.88.193 dev eth0
 :
 : because eth0 is the default gw, i can forward incoming connections on
 : eth0 to the "server host".
 :
 : can anyone help me so i can forward conections happening on both
 : interfaces (eth0 & eth1, doesn't matter who is the default gw) ?

Another reasonable option is to assign an additional IP address to the
internal server, and follow these instructions to configure the DNAT
and routing for each IP:

  http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound

Good luck, Diego,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [LARTC] port-mapping with 2 isps
  2003-04-23 23:17 [LARTC] port-mapping with 2 isps Diego Torres
  2003-04-23 23:29 ` Martin A. Brown
@ 2003-04-24  0:26 ` Martin A. Brown
  1 sibling, 0 replies; 3+ messages in thread
From: Martin A. Brown @ 2003-04-24  0:26 UTC (permalink / raw)
  To: lartc


[ Diego; I figured others would be interested in this answer, so I am
  copying the list. ]

 : > See the thread which starts here:
 : >
 : >   http://mailman.ds9a.nl/pipermail/lartc/2003q2/007952.html
 : >
 : > And the magic happens here:
 : >
 : >   http://mailman.ds9a.nl/pipermail/lartc/2003q2/008090.html
 :
 : thanks a lot! maybe i can now see some light on this problem :)
 :
 : i was thinking in mark'ing the output packet on the host server (with
 : the same mark i'm using on the router box to route through the
 : non-default gw) if i understood correctly, this is what has been done
 : on the example below ...

Not quite (if I understand your explanation).  First and foremost, the
fwmark is packet meta-data which does not survive once the packet leaves a
router.

The cleverness of the solution is to take advantage of the connection
tracking mechanism (which keeps state), to set an fwmark on a packet as
soon as the packet enters the machine.

Now your stateless IP routing mechanism (FIB || RPDB + routing tables)
makes a decision based on the packet and the meta-data (fwmark).

 : iptables -t mangle -I PREROUTING -m conntrack --ctstate DNAT \
 :   --ctorigdst eee.fff.ggg.11 -j MARK --set-mark 2
 :
 : ip rule add fwmark 2 table T2
 :
 : but yet i don't understand why rp_filter should be turned off...

rp_filter (reverse path filtering) described:

  http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN616

rp_filter is a sysctl which tells your linux box to take some
anti-spoofing measures.  Naturally, this anti-spoofing technique works to
your disadvantage if you wish to be able to reach a particular network (in
this case 0/0) through multiple interfaces.  So, if you don't want the
kernel happily throwing away packets arriving on unexpected interfaces,
simply put a lightweight zero in rp_filter.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-04-24  0:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-23 23:17 [LARTC] port-mapping with 2 isps Diego Torres
2003-04-23 23:29 ` Martin A. Brown
2003-04-24  0:26 ` Martin A. Brown

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.