[LARTC] 2 router on one server web

[LARTC] 2 router on one server web

[Michele]

Hi,
I read your "Linux 2.4 Advanced Routing" HOWTO, and particularly the
chapter 11 "Netfilter & iproute - marking packets".

I have two connections adsl in a server web

adsl1
      |
      |
      |
|194.243.12.15 (eth0)   SERVER WEB (eth1) 194.184.12.85 |
                                            |
                                            |
                                            |
                                           adsl2
                                           194.184.12.81

my default gateway is 194.243.12.1 and this is the reason why I can't
ping the adress  194.184.12.85 from another PC outside the LAN.


I configurated iproute e iptables in the follow way:

iptables:
#for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
#echo 1 > /proc/sys/net/ipv4/route/flush
#iptables -A PREROUTING -i eth1 -p -t mangle -j MARK --set-mark 1

and iproute:
#echo 201 ruteradsl2 >>/etc/iproute2/rt_tables
#ip rule add fwmark 1 table  routeradsl2
# ip rule ls
0:      from all lookup local
32765:  from all fwmark        1 lookup routeradsl2
32766:  from all lookup main
32767:  from all lookup default
# /sbin/ip route add default via 194.184.12.81 dev eth1 table routeradsl2

Unfortunately it doesn't work.
I made this test:
I put after the line "iptables -A PREROUTING -i eth1  -t mangle -j
MARK --set-mark 1" the line
iptables -t nat -A PREROUTING -j LOG \
        --log-level NOTICE --log-prefix "PRE DEBUG after MARK: "

then from an outside pc, I ping the address 194.184.12.81 (adsl2) with
success, then I ping  the address 194.184.12.85 whitout success.

In the log of iptables there are many line like these:
May 21 15:09:22 ottavio kernel: PRE DEBUG after MARK: IN=eth1 OUTMAC\0:c0:49:b4:7f:c3:00:08:27:10:a9:a9:08:00 SRC€.207.4.98
DST\x194.184.12.85 LEN„ TOS=0x00 PREC=0x00 TTLR ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID\x17453 SEQ\x1280

Where do I wrong?

thanks

Michele Cerioni







_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] 2 router on one server web

[Martin A. Brown]

Hello Michele,

 : |194.243.12.15 (eth0)   SERVER WEB (eth1) 194.184.12.85 |
 :                                            adsl2
 :                                            194.184.12.81

So, you have a server with two ADSL connections.
                  +-----------------------------------+
194.243.12.1 -----| 194.243.12.15  SRV  194.184.12.85 |----- 194.184.12.81
             eth0 +-----------------------------------+ eth1


You are handling the inbound packets properly, but if you were to use
tcpdump on eth0, you'd see reply packets (to your ping) leaving on eth0
with a source address of 194.184.12.85.

This is not an uncommon thing to overlook when dealing with routing
systems--there is a path in to the box, and you have correctly identified
how to handle that, but you need to tell the box how to send the outbound
packet.

 : #for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done

Yes, you need to do this!

 : #echo 1 > /proc/sys/net/ipv4/route/flush

This is equivalent to "ip route flush cache", and should be performed
after altering the routing tables or the RPDB.

 : #iptables -A PREROUTING -i eth1 -p -t mangle -j MARK --set-mark 1

 : and iproute:
 : #echo 201 ruteradsl2 >>/etc/iproute2/rt_tables
 : #ip rule add fwmark 1 table  routeradsl2
 : # ip rule ls
 : 0:      from all lookup local
 : 32765:  from all fwmark        1 lookup routeradsl2
 : 32766:  from all lookup main
 : 32767:  from all lookup default
 : # /sbin/ip route add default via 194.184.12.81 dev eth1 table routeradsl2

Try adding the following:

# ip rule add from 194.184.12.85 lookup routeradsl2

If you want to see another full example, please consult the section on
multiple Internet connections in the linux-ip.net documentation.

  http://linux-ip.net/html/adv-multi-internet.html

Good luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] 2 router on one server web

[Michele]

Hi,

I have to use kernel 2.2.25, with ipchains but need the --set-mark 
facility of iptables.
Is there  a way to mark incoming packet ?

Michele

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] 2 router on one server web

[Martin A. Brown]

Michele,

 : I have to use kernel 2.2.25, with ipchains but need the --set-mark
 : facility of iptables.

ipchains has a similar feature.  It's not a target as in iptables.

 : Is there  a way to mark incoming packet ?

ipchains -I input -s $SOURCE -d $DEST --mark $MARK -j ACCEPT

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/