Routing to DMZ with multiple ISP's

Routing to DMZ with multiple ISP's

[Robert Ferney]

Ok, I'm hitting my head on a brick wall of my ignorance here.

I have 10 DSL routers with associated internet connections.
They are all configured to DNAT all traffic on their external
interface to one internal Router.

I'm trying to DNAT all web traffic to a webserver at 192.168.7.4
It is working for the first connection, but it fails on the remainder
What am I missing?

Each DSL router is configured with a private subnet with a matching
configuration on the router..
 dsl1: 192.168.4.1/30
 dsl2: 192.168.4.5/30
 dsl3: 192.168.4.9/30
 .... and so forth..

Rather than try to explain my configuration further, I'll just give
the stripped down version of the configuration outputs from my router.

r1:~ # ip addr
2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 192.168.6.1/24 brd 192.168.6.255 scope global eth1
3: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
     inet 192.168.4.2/30 brd 192.168.4.3 scope global eth2
    inet 192.168.4.6/30 brd  192.168.4.7 scope global eth2:d2
    inet 192.168.4.10/30 brd 192.168.4.11 scope global eth2:d3
4: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    inet 192.168.7.1/24 brd 192.168.7.255 scope global eth0

r1:~ # ip rule list
0:      from all lookup local
10001:  from  192.168.4.2 lookup dsl1
10002:  from 192.168.4.6 lookup dsl2
10003:  from 192.168.4.10 lookup dsl3
32766:  from all lookup main
32767:  from all lookup default

r1:~ # ip route list table dsl1
192.168.4.0/30 dev eth2  scope link  src 192.168.4.2
192.168.4.4/30 dev eth2  scope link  src  192.168.4.6
192.168.4.8/30 dev eth2  scope link  src 192.168.4.10
192.168.7.0/24  dev eth0  scope link  src 192.168.7.1
192.168.6.0/24 dev eth1  scope link  src 192.168.6.1
 127.0.0.0/8 dev lo  scope link
default via 192.168.4.1 dev eth2

r1:~ # ip route list table dsl2
 192.168.4.0/30 dev eth2  scope link  src 192.168.4.2
 192.168.4.4/30 dev eth2  scope link  src 192.168.4.6
 192.168.4.8/30 dev eth2  scope link  src 192.168.4.10
 192.168.7.0/24 dev eth0  scope link  src 192.168.7.1
 192.168.6.0/24 dev eth1  scope link  src 192.168.6.1
 127.0.0.0/8 dev lo  scope link
 default via 192.168.4.5 dev eth2

 r1:~ # ip route list table dsl3
 192.168.4.0/30 dev eth2  scope link  src 192.168.4.2
 192.168.4.4/30 dev eth2  scope link  src 192.168.4.6
 192.168.4.8/30 dev eth2  scope link  src 192.168.4.10
 192.168.7.0/24 dev eth0  scope link  src 192.168.7.1
 192.168.6.0/24 dev eth1  scope link  src 192.168.6.1
 127.0.0.0/8 dev lo  scope link
 default via 192.168.4.9 dev eth2

r1:~ # iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0             192.168.6.1         tcp
dpt:80 to:192.168.7.4
DNAT       tcp  --  0.0.0.0/0            192.168.4.2         tcp
dpt:80 to: 192.168.7.4
DNAT       tcp  --  0.0.0.0/0            192.168.4.6         tcp
dpt:80 to:192.168.7.4
DNAT       tcp  --  0.0.0.0/0            192.168.4.10        tcp
dpt:80 to:192.168.7.4

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Re: Routing to DMZ with multiple ISP's

[Pascal Hambourg]

Hello,

Robert Ferney a écrit :
> 
> I have 10 DSL routers with associated internet connections.
> They are all configured to DNAT all traffic on their external
> interface to one internal Router.
> 
> I'm trying to DNAT all web traffic to a webserver at 192.168.7.4
> It is working for the first connection, but it fails on the remainder
> What am I missing?

My guess is what you are missing is that the "un-DNAT" of the source 
address in the reply packets from the server takes place in POSTROUTING, 
too late for it to be taken into account by your routing rules, which 
affects only packets generated by the internal router.

So your internal router needs to know to which gateway the reply packets 
must be send (depending on which gateway the original packet came from) 
before the routing stage. This must be done in PREROUTING.

Here are two possible methods :

==============================================================
1) Match the original destination address of the incoming DNATed 
connection in the reply packets. This is done with the "--ctorigdst" 
option of the "conntrack" iptables match :

iptables -t mangle -A PREROUTING -i eth0 \
   -m conntrack --ctstate DNAT --ctorigdst 192.168.4.2 \
   -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i eth0 \
   -m conntrack --ctstate DNAT --ctorigdst 192.168.4.6 \
   -j MARK --set-mark 0x2
[...]

Then you direct the marked packets to the alternate routing table :

ip rule add fwmark 0x1 lookup dsl1
ip rule add fwmark 0x2 lookup dsl2
[...]

==============================================================
2) Mark the connections with the CONNMARK iptables target.
This requires a kernel with connection mark support, i.e. at least 
version 2.6.10 or patched with patch-o-matic-ng.

iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW \
   -d 192.168.4.2 -p tcp --dport 80 -j CONNMARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW \
   -d 192.168.4.6 -p tcp --dport 80 -j CONNMARK --set-mark 0x2
[...]

This sets a "connection mark" on new _connections_ (not on individual 
packets) incoming on eth2 depending on the original destination address. 
Then copy the connection mark into the mark of reply packets incoming on 
eth0 :

iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0x1 \
   -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0x2 \
   -j CONNMARK --restore-mark
[...]

The "ip rule" are the same as in 1).