Re: Iptables NAT with two external Interfaces

["Humberto Jucá" <betolj@gmail.com>]

Hello,

It was quite confusing ... a diagram would greatly help.

1. What is the prefix size of your AS? (/24 or /20).
    If your IP block is "/20", you can make "/24" announcements per BGP peer.

2. The one link is based on static routing and the other by BGP? This
was confusing.

3. How was your routing table (fib)?
    route -n or ip route ls
    ip rule ls

4. Your firewall is configured to accept this asymmetric routing?

What exactly do you want?

2012/5/3 Ellad G. Yatsko <eyatsko@ngs.ru>:
> Hello!
>
> May you help me in one very specific issue?
>
> - I have Ubuntu router with several interfaces with Quagga/BGP working on
> it, and of course IPTables with NAT for internal users;
>
> - One interface is used to connect to ISP, it has ISP's IP-address. For
> definiteness it is 89.222.233.165. Ubuntu connects to ISP's network via this
> IP;
>
> - Another interface - DMZ with own IP-address (delegated by RIPE NCC) of own
> Autonomous System: 91.223.181.1;
>
> - DMZ is terminated on Cisco 2821 (one subinterface 91.223.181.2) šwhich is
> connected to second ISP (via second subinterface with IP from second ISP:
> 188.35.132.79).
>
> - There is specific routing: each of my "borders" marks a part of prefixes
> received from corresponding ISP by higher LocalPref: Ubuntu marks prefixes
> 0.0.0.0-127.0.0.0, and Cisco marks prefixes 128.0.0.0 up to 224.0.0.0.
> That is if destination IP is more than 128.0.0.0 Ubuntu prefers to send the
> current packet to directly connected ISP, if it is less than 128.0.0.0
> Ubuntu prefers što route the packet through DMZ. It is made to utilize both
> uplinks evenly.
> I need to explain one important detail: both of my ISPs are connected to the
> same higher-level ISP, which uses the only ISP from the pair of mine to
> direct incoming traffic into my AS. So there is no other opportunity to make
> balancing except egress traffic.
>
> - Ubuntu has internal interfaces to give to its internal users access to
> Internet. Internal users have "private" IPs which are "NATted" on external
> Ubuntu's interfaces.
>
> - Actually the question: with probability 50% a packet from internal users
> can be sent through one external Ubuntu's interface and reply can return
> through another. In that case NAT is not working. Here my relevant part of
> configuration:
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL -j SNAT
> --to $DMZ_IP
> $IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL -j SNAT
> --to $DMZ_IP
>
> What can I do except:
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL -j SNAT
> --to $EXT_IP
> $IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL -j SNAT
> --to $DMZ_IP
>
> Difference with above two is "$EXT_IP" in the first line. In that case all
> works fine. But I need to hide ISP's IP from External World. I need to show
> to others my own IPs only. It's the highest priority. Again, may you help me
> to find an answer? Are there some "secret commands" for IPTables to make NAT
> to ignore ingress interface to de-NAT replies? For example, FreeBSD's PF can
> do correct "back" translations independently from interface where
> reply-packet has come on. Ubuntu has changed FreeBSD on the place of central
> router due to rank of reasons (one of them is stability), but now I have big
> trouble! :-)
>
> He-e-e-lp!...
>
> Kind regards,
> Ellad
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at šhttp://vger.kernel.org/majordomo-info.html