From mboxrd@z Thu Jan 1 00:00:00 1970 From: azeredo@qmc.ufsc.br Date: Wed, 17 Dec 2003 14:57:18 +0000 Subject: [LARTC] Source routing two services in the intranet Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Hi. A few months ago I asked the list about source routing and got a nice solution by Martin Brown. Thanks a lot for the help Martin Brown. Actuall= y my=20 problem now is related to the one before and so i think it is useful to=20 rewrite it here: =20 Quoting Martin =20 - private (rfc1918) internal network with services published to the world - two public networks - a single service (in the internal network) which should be reachable on an IP in each public network =20 Solution: =20 The key to the general solution of this problem is to use separate pairs of IPs for the entire path from the outside world to the internal network. The internal service (e.g., webserver) must host two IP addresses. One IP address can be reached via DNAT from public network 1 and the other IP address can be reached via DNAT from the other network. =20 =20 =20 The detailed solution can be looked up here: =20 http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbo= und namely, =20 =20 =20 [root@masq-gw]#ip route add nat 67.17.28.10 via 192.168.100.10 [root@masq-gw]# ip rule add nat 67.17.28.10 from 192.168.100.10 table 4 [root@masq-gw]# ip route add nat 205.254.211.17 via 192.168.100.17 [root@masq-gw]# ip rule add nat 205.254.211.17 from 192.168.100.17 [root@masq-gw]# ip rule show 0: from all lookup local=20 32765: from 192.168.100.17 lookup main map-to 205.254.211.17 32765: from 192.168.100.10 lookup 4 map-to 67.17.28.10 32766: from all lookup main=20 32767: from all lookup 253 [root@masq-gw]# ip route show table local | grep ^nat nat 205.254.211.17 via 192.168.100.17 scope host=20 nat 67.17.28.10 via 192.168.100.10 scope host This solution above has a drawback. If i have to provide a different serv= ice on a different computer in the internal network I can't, since every packa= ge that reaches the linux router is being redirected to the same computer in = the internal network. Assume that besides the web service in =20 192.168.100.10-192.168.100.17 (IP alias used here) we want to to provide s= sh =20 service on 192.168.100.20-192.168.100.21 and want to source routing both = =20 services in the linux. I believe that to solve this i need to operate with= =20 iptables and iproute together and DNAT the requests according to the port = it is =20 addressed to. It seems that iproute by itself cannot do that. But to =20 accomplish this i thing that a solid knowledge of how the packages travers= e the=20 kernel is necessary and that is what I am not sure about. So I would really appreciate if anyone could help me = write the iptables and iproute rules for the example just mentioned. That would = be a great help. Thanks a lot for your attention, =20 =20 =20 Aldrovando Ara=FAjo =20 ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/