From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: can't port forward on multihome
Date: Sat, 20 Dec 2008 12:06:51 +0100 [thread overview]
Message-ID: <494CD1CB.6040602@plouf.fr.eu.org> (raw)
In-Reply-To: <gih0o4$45n$1@ger.gmane.org>
Hello,
sean darcy a écrit :
> I have a multihomed server: eth0 is a static T1, and eth3 is a Verizon
> dsl line. I want eth3 as the default for general traffic, and eth0 for
> VOIP traffic.
>
> eth1 is the internal interface. eth3 works fine as the masquerade out
> for NAT'd lan.
>
> I've used ip to set up eth0 so I can ssh into it:
>
> ## eth0 is static
> ETH0_IP_ADDR=www.xxx.yyy.zzz
> ip rule add from $ETH0_IP_ADDR/32 table 128 priority 128
> ## this is the route through the gateway ip
> ip route add default via <eth0 gateway ip> table 128
>
> and that works. Which is important since that's the static address; the
> Verizon dsl address is dynamic.
>
> The VOIP server ( asterisk ) is on the lan. I've tried to port forward
> ssh to the voip server:
>
> $IPT -t nat -A PREROUTING -p tcp --dport 2280 -j DNAT --to 10.10.10.180:22
> $IPT -A FORWARD -p tcp --dport 22 -m state --state NEW -d 10.10.10.180
> -j ACCEPT
>
> This works if I ssh to the eth3, the dynamic dsl interface:
>
> ssh -p 2280 voip@<dsl ip address>
>
> I get an ssh session on the voip server.
>
> But:
>
> ssh -p 2280 voip@<static ip address>
>
> doesn't work. But I need to have others access the voip server using a
> static ip, but not give them access to the multihomed server.
The ip rule won't work for reply packets sent by the server, because .
source address mangling occurs after the routing decision so the source
address is 10.10.10.180, not (yet) eth0's address. If Verizon drops
packets sent with a source address other than the one assigned to eth3,
then the client won't receive any reply and the connection will fail.
In order to route the reply packets using table 128, you need to
identify them. I guess that 10.10.10.180:22 as the source address:port
is not discriminant enough, as it matches connections forwarded from
eth3 too.
You can use the CONNMARK target to mark the incoming connection on eth0
and copy the connection mark to the reply packets on eth1. Then you can
use the packet mark in an ip rule.
iptables -t mangle -A PREROUTING -i eth0 -m state --state NEW \
-j CONNMARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --restore-mark
ip rule add fwmark 0x1 table 128 prio 127
As you used DNAT, you may use the --ctorigdst option of the 'conntrack'
match and mark reply packets based on the original destination address
of the connection.
iptables -t mangle -A PREROUTING -i eth1 \
-m connmark --ctorigdst $ETH0_IP_ADDR -j MARK --set-mark 0x1
ip rule add fwmark 0x1 table 128 prio 127
next prev parent reply other threads:[~2008-12-20 11:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-19 20:38 can't port forward on multihome sean darcy
2008-12-20 11:06 ` Pascal Hambourg [this message]
2008-12-28 20:53 ` sean darcy
2008-12-28 21:35 ` sean darcy
2008-12-29 11:24 ` Pascal Hambourg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=494CD1CB.6040602@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox