From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] routing for split multiple uplinks/providers with port
Date: Fri, 14 Nov 2003 04:42:08 +0000 [thread overview]
Message-ID: <marc-lartc-106878557520167@msgid-missing> (raw)
In-Reply-To: <marc-lartc-106770352107516@msgid-missing>
Ian,
: It doesn't work as given for connections that are port forwarded from
: the Linux router to machines inside the local network (e.g. to a web
: server).
True, the multiple uplinks is for exactly that, uplinks! Or, in other
words, outbound connectivity, only.
: With port forwarding in the mix, packets arriving from the Internet to
: a particular port on the Linux router have DNAT applied so that they
: pass transparently on to the internal web server; but, the answer
: packets from the web server arrive back at the Linux router and do not
: necessarily go out by the same gateway/provider by which they came in.
Also true. The conventional solution is to have an end-to-end unique
path, and perform DNAT (or NAT) based on each public/private pair. [0]
Although, you might consider using connection tracking to do the heavy
lifting for you. [1]
: I suspect the fix is somehow to mark the port forwarded packets with a
: flag indicating on which interface they arrived at the Linux router,
: and then preserve this flag into the answer packets on the web server.
: On the Linux router I can then make sure that appropriately flagged
: answer packets go out the correct interface.
Yes, you can mark the packets....the trick is to take advantage of the
DNAT connection tracking entry in the PREROUTING table as the packet
enters the firewall from the internal network. This allows you to mark
the packet before routing based on the original (public) destination IP
address. Observe the use of "--ctorigdst" in this iptables command.
-Martin
[0] http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound
[1] http://mailman.ds9a.nl/pipermail/lartc/2003q2/008090.html
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2003-11-14 4:42 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-11-01 15:50 [LARTC] routing for split multiple uplinks/providers with port forwarding Ian! D. Allen
2003-11-12 7:42 ` Ian! D. Allen
2003-11-12 8:32 ` [LARTC] routing for split multiple uplinks/providers with port Damion de Soto
2003-11-14 4:42 ` Martin A. Brown [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106878557520167@msgid-missing \
--to=mabrown-lartc@securepipe.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.