* multi-wan with conn-mark
@ 2009-01-19 16:45 Thomas Creutz
[not found] ` <4974F82F.4040309@standarduniversal.com.au>
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Creutz @ 2009-01-19 16:45 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 702 bytes --]
Hello,
I try to setup a multi-wan connection with 2 dsl links. I followed the
example from
http://andthatsjazz.org/lartc/MultihomedLinuxNetworking.html
so it set up my pppd-peers without the defaultroute option and
configured the routing like it is descripted on the page above.
Routing on the local machine is ok.. I can reach all destinations.
my problem is, that with this configuration nat not working any more -
so I cant reach the internet over a client which is connected on eth0 or
eth1. Also the routing between the local networks is not working.
Any idea what is wrong?
i attached the configuration as text file or use
http://pastebin.com/f1b9b33ab
Thanks for your help,
Thomas
[-- Attachment #2: config.txt --]
[-- Type: text/plain, Size: 9104 bytes --]
IF_INET1="ppp0"
IF_INET1_IP=`/sbin/ifconfig ${IF_INET1} 2>/dev/null | grep "inet" | grep -v inet6 | awk {'print $2'} | cut -d ':' -f2`
IF_INET2="ppp1"
IF_INET2_IP=`/sbin/ifconfig ${IF_INET2} 2>/dev/null | grep "inet" | grep -v inet6 | awk {'print $2'} | cut -d ':' -f2`
iptables -A POSTROUTING -t mangle -j MARK --set-mark 1 -m state --state NEW -o $IF_INET1
iptables -A POSTROUTING -t mangle -j MARK --set-mark 2 -m state --state NEW -o $IF_INET2
iptables -A POSTROUTING -t mangle -j CONNMARK --save-mark -m state --state NEW
iptables -A PREROUTING -t mangle -j CONNMARK --restore-mark
iptables -A POSTROUTING -t nat -m mark --mark 1 -j SNAT --to-source $IF_INET1_IP
iptables -A POSTROUTING -t nat -m mark --mark 2 -j SNAT --to-source $IF_INET2_IP
proxy:~# LANG=C route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
217.0.116.46 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
217.0.116.46 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.15.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
proxy:~# ip route list
217.0.116.46 dev ppp0 proto kernel scope link src 84.169.89.45
217.0.116.46 dev ppp1 proto kernel scope link src 84.169.68.44
192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.254
192.168.15.0/24 dev eth1 proto kernel scope link src 192.168.15.254
default
nexthop dev ppp0 weight 1
nexthop dev ppp1 weight 1
---------------------------------
complete iptables configuration
-----------------------------------------
Chain INPUT (policy DROP 8 packets, 2891 bytes)
pkts bytes target prot opt in out source destination
2412 213K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
14 890 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
12 2135 ACCEPT 0 -- eth0 * 192.168.0.1 0.0.0.0/0
1 229 ACCEPT 0 -- eth0 * 192.168.0.3 0.0.0.0/0
0 0 DROP icmp -f * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
0 0 ACCEPT tcp -- ppp1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2222
15 2505 C_ADM 0 -- eth0 * 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:443
0 0 C_MAC tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:3128
0 0 C_SQD tcp -- eth0 * 192.168.0.0/24 0.0.0.0/0 tcp dpt:3128
15 2505 ACCEPT 0 -- eth0 * 192.168.0.0/24 0.0.0.0/0
19 1639 ACCEPT 0 -- eth1 * 192.168.15.0/24 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
142 6816 TCPMSS tcp -- * ppp1 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
0 0 TCPMSS tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
224 16358 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
182 10612 ACCEPT 0 -- eth0 * 192.168.0.1 0.0.0.0/0
0 0 ACCEPT 0 -- eth0 * 192.168.0.3 0.0.0.0/0
0 0 RETURN 0 -- eth0 eth1 192.168.0.0/24 192.168.15.0/24
0 0 C_MAC 0 -- eth0 ppp0 192.168.0.0/24 0.0.0.0/0
0 0 C_MAC 0 -- eth0 ppp1 192.168.0.0/24 0.0.0.0/0
0 0 C_FWD 0 -- eth0 * 192.168.0.0/24 0.0.0.0/0
0 0 ACCEPT 0 -- eth1 eth0 192.168.15.0/24 192.168.0.0/24
0 0 ACCEPT 0 -- eth0 eth1 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX
0 0 ACCEPT 0 -- eth1 ppp0 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT 0 -- eth1 ppp1 192.168.15.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- ppp0 eth0 0.0.0.0/0 192.168.0.3 tcp dpt:443
0 0 ACCEPT tcp -- ppp0 eth0 0.0.0.0/0 192.168.0.1 tcp dpt:1723
0 0 ACCEPT 47 -- ppp0 eth0 0.0.0.0/0 192.168.0.1
Chain OUTPUT (policy ACCEPT 2205 packets, 224K bytes)
pkts bytes target prot opt in out source destination
110 32509 ACCEPT 0 -- * lo 0.0.0.0/0 0.0.0.0/0
Chain C_ADM (1 references)
pkts bytes target prot opt in out source destination
Chain C_FWD (1 references)
pkts bytes target prot opt in out source destination
Chain C_MAC (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX
0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 MAC XX:XX:XX:XX:XX:XX
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain C_SQD (1 references)
pkts bytes target prot opt in out source destination
-- MANGLE TABLE --
Chain PREROUTING (policy ACCEPT 418K packets, 190M bytes)
pkts bytes target prot opt in out source destination
2897 251K CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 CONNMARK restore
Chain INPUT (policy ACCEPT 237K packets, 86M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 180K packets, 104M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 270K packets, 98M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 430K packets, 200M bytes)
pkts bytes target prot opt in out source destination
8 582 MARK 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0 state NEW MARK set 0x1
16 792 MARK 0 -- * ppp1 0.0.0.0/0 0.0.0.0/0 state NEW MARK set 0x2
202 12117 CONNMARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW CONNMARK save
-- NAT TABLE --
Chain PREROUTING (policy ACCEPT 21038 packets, 1419K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.0.3:443
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 to:192.168.0.1:1723
0 0 DNAT 47 -- ppp0 * 0.0.0.0/0 0.0.0.0/0 to:192.168.0.1
Chain POSTROUTING (policy ACCEPT 4175 packets, 225K bytes)
pkts bytes target prot opt in out source destination
8 582 SNAT 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x1 to:84.169.89.45
16 792 SNAT 0 -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2 to:84.169.68.44
0 0 MASQUERADE 0 -- * ppp0 0.0.0.0/0 0.0.0.0/0
0 0 MASQUERADE 0 -- * ppp1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 10811 packets, 647K bytes)
pkts bytes target prot opt in out source destination
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: multi-wan with conn-mark
[not found] ` <4974F82F.4040309@standarduniversal.com.au>
@ 2009-01-20 7:44 ` Thomas Creutz
2009-01-20 8:36 ` Brian Austin - Standard Universal
0 siblings, 1 reply; 3+ messages in thread
From: Thomas Creutz @ 2009-01-20 7:44 UTC (permalink / raw)
To: Brian Austin - Standardknit
Hello Brian
Brian Austin - Standardknit schrieb:
> see if this helps..
>
> http://versa.net.au/index.php?option=com_content&task=view&id=21&Itemid=34
>
thanks for your link :-)
the main problem for me is, that most howto's use external dsl-routers.
But a main different think i see on this howto is, that the author make
on some more points connmarks :-/ all other howto's i found make them
only in the PREROUTING and POSTROUTING chains.
other question to this topic: when i switch to SNAT for the default
gateway, have i also so connmark and SNAT the other routers in the local
area network? i dont think so, while i dont need NAT on the lan.
But when I look over some snippets I see some think like this
http://209.85.129.132/search?q=cache:3hmyGB8Jr5QJ:www.thaiadmin.org/board/index.php%3Ftopic%3D84571.0+iptables+%2B%22conn-mark%22+SNAT+port+forwarding&hl=de&ct=clnk&cd=16&gl=de&client=firefox-a
http://www.workman-engineering.com/Files/S35firewall
Thomas
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: multi-wan with conn-mark
2009-01-20 7:44 ` Thomas Creutz
@ 2009-01-20 8:36 ` Brian Austin - Standard Universal
0 siblings, 0 replies; 3+ messages in thread
From: Brian Austin - Standard Universal @ 2009-01-20 8:36 UTC (permalink / raw)
To: Thomas Creutz
I think the thing to do is
s/nat as you would normally.. then
consider each case of packet flow, and mark the packets accordingly. it
took me two weeks to achieve that page, I'm no expert.
b
Thomas Creutz wrote:
> Hello Brian
>
> Brian Austin - Standardknit schrieb:
>> see if this helps..
>>
>> http://versa.net.au/index.php?option=com_content&task=view&id=21&Itemid=34
>>
>>
> thanks for your link :-)
>
> the main problem for me is, that most howto's use external
> dsl-routers. But a main different think i see on this howto is, that
> the author make on some more points connmarks :-/ all other howto's i
> found make them only in the PREROUTING and POSTROUTING chains.
>
> other question to this topic: when i switch to SNAT for the default
> gateway, have i also so connmark and SNAT the other routers in the
> local area network? i dont think so, while i dont need NAT on the lan.
>
> But when I look over some snippets I see some think like this
>
> http://209.85.129.132/search?q=cache:3hmyGB8Jr5QJ:www.thaiadmin.org/board/index.php%3Ftopic%3D84571.0+iptables+%2B%22conn-mark%22+SNAT+port+forwarding&hl=de&ct=clnk&cd=16&gl=de&client=firefox-a
>
> http://www.workman-engineering.com/Files/S35firewall
>
> Thomas
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2009-01-20 8:36 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-01-19 16:45 multi-wan with conn-mark Thomas Creutz
[not found] ` <4974F82F.4040309@standarduniversal.com.au>
2009-01-20 7:44 ` Thomas Creutz
2009-01-20 8:36 ` Brian Austin - Standard Universal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox