From: "alfredo" <asa@euroval.com>
To: netfilter@vger.kernel.org
Subject: access to terminal server in DMZ with 2 isp
Date: Tue, 20 Oct 2009 19:40:10 +0200 [thread overview]
Message-ID: <000301ca51ac$5efe4f70$7600a8c0@VALFREDO> (raw)
I have been trying to configure access to a terminal server from several
days without any luck. I have two routers from 2 diferrent isp
(called ono and neo) with a range of public in each. I want to access my
terminal server from internet from each isp, so as if one is down I
can use the other one.
/-------\ neo(isp1) eth1 +----------+
/ \ +----+ |
+-----------------+
/ Internet |------------| | Firewall |---eth0-+-- DMZ -| Terminal Server
|
\ / +----+ |
+-----------------+
\--------/ ono (isp2) eth2 +----------+
IP1 is the public ip of eth1
P1 is the ip of the neo's router
IP2 is the public ip of eth2
P2 is the ip of the ono's router
My script to configure the firewall is as follows:
#eth0 -> Internal network (DMZ) 192.168.0.0/24
#eth1 -> Neo (First ISP)
#eth2 -> Ono (Second ISP)
set -x#Script:
echo 255 local > /etc/iproute2/rt_tables
echo 254 main >> /etc/iproute2/rt_tables
echo 253 default >> /etc/iproute2/rt_tables
echo 0 unspec >> /etc/iproute2/rt_tables
echo 200 neo >> /etc/iproute2/rt_tables
echo 201 ono >> /etc/iproute2/rt_tables
iptables -F
iptables -t nat -F
iptables -t mangle -F
# neo
IP1="213.172.XXXX"
P1_NET="213.172.XXXX/29"
P1="213.172.XXXX"
IF1="eth1"
# ono
IP2="84.124.XXXXX"
P2_NET="84.124.87.224/29"
P2="84.124.XXXX"
IF2="eth2"
IP0="192.168.0.249"
P0_NET="192.168.0.0/24"
#P0=
IF2="eth0"
ip route add $P2_NET dev $IF2 src $IP2 table ono
ip route add default via $P2 table ono
ip route add $P1_NET dev $IF1 src $IP1 table neo
ip route add default via $P1 table neo
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip route add default via $P1
ip route add $P0_NET dev $IF0 table neo
ip route add $P2_NET dev $IF2 table neo
ip route add 127.0.0.0/8 dev lo table neo
ip route add $P0_NET dev $IF0 table ono
ip route add $P1_NET dev $IF1 table ono
ip route add 127.0.0.0/8 dev lo table ono
ip rule add fwmark 2 table ono
ip rule add fwmark 1 table neo
ip rule add from $IP2 table ono
ip rule add from $IP1 table neo
# -----------
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -t mangle -F
#iptables -t mangle -A PREROUTING -m conntrack --ctstate
DNAT --ctorigdst $IP1 -j MARK --set-mark 1
#iptables -t mangle -A PREROUTING -m conntrack --ctstate
DNAT --ctorigdst $IP2 -j MARK --set-mark 2
iptables -t mangle -A PREROUTING -m conntrack --ctorigdst
$IP1 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -m conntrack --ctorigdst
$IP2 -j MARK --set-mark 2
# Habilito el NAT para que la red interna pueda salir
iptables -t nat -A POSTROUTING -o $IF1 -s $P0_NET -d
0.0.0.0/0 -j SNAT --to $IP1
iptables -t nat -A POSTROUTING -o $IF2 -s $P0_NET -d
0.0.0.0/0 -j SNAT --to $IP2
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d
0.0.0.0/0 -j MASQUERADE
# Redirecciono el puerto de las publicas a la privada
iptables -A PREROUTING -t nat -p tcp -i eth2 --dport 3389 -j
DNAT --to 192.168.0.118:3389
iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 3389 -j
DNAT --to 192.168.0.118:3389
#iptables -A PREROUTING -t nat -p tcp --dport 3389 -j
DNAT --to 192.168.0.118:3389
#iptables -A PREROUTING -t nat -p tcp --dport 6000 -j
DNAT --to 192.168.0.118:6666
When I try to connect from outside to each of my isps, for example ono, I
see packets entering eth2 and then
going out eth2 immediately without being routed to eth0.
I see dnat has changed the destination ip so packets go out eth2 having the
source ip from which I'm connecting from (not the ip of the
adapter) and destination ip 192.168.0.118 (the internal server) but through
the wrong interface.
These packets should have being sent by eth0 and not eth2. If I connect to
the other isp, neo, it's the same but packets going out eth1
instead of eth0.
Any suggestions?
next reply other threads:[~2009-10-20 17:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-20 17:40 alfredo [this message]
2009-10-20 17:56 ` access to terminal server in DMZ with 2 isp Gary Smith
2009-10-23 10:22 ` Vlado Drz(ík
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000301ca51ac$5efe4f70$7600a8c0@VALFREDO' \
--to=asa@euroval.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox