From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pascal Hambourg Subject: Re: Routing to DMZ with multiple ISP's Date: Fri, 24 Aug 2007 18:05:35 +0200 Message-ID: <46CF01CF.70400@plouf.fr.eu.org> References: <731f49cb0708231836l17371645yfa4567be170ec0ae@mail.gmail.com> <731f49cb0708231837o7ef8f511u6ce95ab5f9fe9751@mail.gmail.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <731f49cb0708231837o7ef8f511u6ce95ab5f9fe9751@mail.gmail.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-bounces@lists.netfilter.org Errors-To: netfilter-bounces@lists.netfilter.org Content-Type: text/plain; charset="iso-8859-1"; format="flowed" To: netfilter@lists.netfilter.org Hello, Robert Ferney a =E9crit : >=20 > I have 10 DSL routers with associated internet connections. > They are all configured to DNAT all traffic on their external > interface to one internal Router. >=20 > I'm trying to DNAT all web traffic to a webserver at 192.168.7.4 > It is working for the first connection, but it fails on the remainder > What am I missing? My guess is what you are missing is that the "un-DNAT" of the source=20 address in the reply packets from the server takes place in POSTROUTING,=20 too late for it to be taken into account by your routing rules, which=20 affects only packets generated by the internal router. So your internal router needs to know to which gateway the reply packets=20 must be send (depending on which gateway the original packet came from)=20 before the routing stage. This must be done in PREROUTING. Here are two possible methods : =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 1) Match the original destination address of the incoming DNATed=20 connection in the reply packets. This is done with the "--ctorigdst"=20 option of the "conntrack" iptables match : iptables -t mangle -A PREROUTING -i eth0 \ -m conntrack --ctstate DNAT --ctorigdst 192.168.4.2 \ -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -i eth0 \ -m conntrack --ctstate DNAT --ctorigdst 192.168.4.6 \ -j MARK --set-mark 0x2 [...] Then you direct the marked packets to the alternate routing table : ip rule add fwmark 0x1 lookup dsl1 ip rule add fwmark 0x2 lookup dsl2 [...] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 2) Mark the connections with the CONNMARK iptables target. This requires a kernel with connection mark support, i.e. at least=20 version 2.6.10 or patched with patch-o-matic-ng. iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW \ -d 192.168.4.2 -p tcp --dport 80 -j CONNMARK --set-mark 0x1 iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW \ -d 192.168.4.6 -p tcp --dport 80 -j CONNMARK --set-mark 0x2 [...] This sets a "connection mark" on new _connections_ (not on individual=20 packets) incoming on eth2 depending on the original destination address.=20 Then copy the connection mark into the mark of reply packets incoming on=20 eth0 : iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0x1 \ -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0x2 \ -j CONNMARK --restore-mark [...] The "ip rule" are the same as in 1).