Iptables NAT with two external Interfaces

Iptables NAT with two external Interfaces

[Ellad G. Yatsko]

Hello!

May you help me in one very specific issue?

- I have Ubuntu router with several interfaces with Quagga/BGP working 
on it, and of course IPTables with NAT for internal users;

- One interface is used to connect to ISP, it has ISP's IP-address. For 
definiteness it is 89.222.233.165. Ubuntu connects to ISP's network via 
this IP;

- Another interface - DMZ with own IP-address (delegated by RIPE NCC) of 
own Autonomous System: 91.223.181.1;

- DMZ is terminated on Cisco 2821 (one subinterface 91.223.181.2)  which 
is connected to second ISP (via second subinterface with IP from second 
ISP: 188.35.132.79).

- There is specific routing: each of my "borders" marks a part of 
prefixes received from corresponding ISP by higher LocalPref: Ubuntu 
marks prefixes 0.0.0.0-127.0.0.0, and Cisco marks prefixes 128.0.0.0 up 
to 224.0.0.0.
That is if destination IP is more than 128.0.0.0 Ubuntu prefers to send 
the current packet to directly connected ISP, if it is less than 
128.0.0.0 Ubuntu prefers  to route the packet through DMZ. It is made to 
utilize both uplinks evenly.
I need to explain one important detail: both of my ISPs are connected to 
the same higher-level ISP, which uses the only ISP from the pair of mine 
to direct incoming traffic into my AS. So there is no other opportunity 
to make balancing except egress traffic.

- Ubuntu has internal interfaces to give to its internal users access to 
Internet. Internal users have "private" IPs which are "NATted" on 
external Ubuntu's interfaces.

- Actually the question: with probability 50% a packet from internal 
users can be sent through one external Ubuntu's interface and reply can 
return through another. In that case NAT is not working. Here my 
relevant part of configuration:
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL -j 
SNAT --to $DMZ_IP
$IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL -j 
SNAT --to $DMZ_IP

What can I do except:
$IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL -j 
SNAT --to $EXT_IP
$IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL -j 
SNAT --to $DMZ_IP

Difference with above two is "$EXT_IP" in the first line. In that case 
all works fine. But I need to hide ISP's IP from External World. I need 
to show to others my own IPs only. It's the highest priority. Again, may 
you help me to find an answer? Are there some "secret commands" for 
IPTables to make NAT to ignore ingress interface to de-NAT replies? For 
example, FreeBSD's PF can do correct "back" translations independently 
from interface where reply-packet has come on. Ubuntu has changed 
FreeBSD on the place of central router due to rank of reasons (one of 
them is stability), but now I have big trouble! :-)

He-e-e-lp!...

Kind regards,
Ellad

Re: Iptables NAT with two external Interfaces

[Ellad G. Yatsko]

Is anybody here? Does anybody hear me? :-) Did I break some rules if 
nobody answered,
or was my question (or English) very difficult for understanding?  
Excuse me please if I wrong!

Kind regards,
Ellad

> Hello!
>
> May you help me in one very specific issue?
>
> - I have Ubuntu router with several interfaces with Quagga/BGP working 
> on it, and of course IPTables with NAT for internal users;
>
> - One interface is used to connect to ISP, it has ISP's IP-address. 
> For definiteness it is 89.222.233.165. Ubuntu connects to ISP's 
> network via this IP;
>
> - Another interface - DMZ with own IP-address (delegated by RIPE NCC) 
> of own Autonomous System: 91.223.181.1;
>
> - DMZ is terminated on Cisco 2821 (one subinterface 91.223.181.2)  
> which is connected to second ISP (via second subinterface with IP from 
> second ISP: 188.35.132.79).
>
> - There is specific routing: each of my "borders" marks a part of 
> prefixes received from corresponding ISP by higher LocalPref: Ubuntu 
> marks prefixes 0.0.0.0-127.0.0.0, and Cisco marks prefixes 128.0.0.0 
> up to 224.0.0.0.
> That is if destination IP is more than 128.0.0.0 Ubuntu prefers to 
> send the current packet to directly connected ISP, if it is less than 
> 128.0.0.0 Ubuntu prefers  to route the packet through DMZ. It is made 
> to utilize both uplinks evenly.
> I need to explain one important detail: both of my ISPs are connected 
> to the same higher-level ISP, which uses the only ISP from the pair of 
> mine to direct incoming traffic into my AS. So there is no other 
> opportunity to make balancing except egress traffic.
>
> - Ubuntu has internal interfaces to give to its internal users access 
> to Internet. Internal users have "private" IPs which are "NATted" on 
> external Ubuntu's interfaces.
>
> - Actually the question: with probability 50% a packet from internal 
> users can be sent through one external Ubuntu's interface and reply 
> can return through another. In that case NAT is not working. Here my 
> relevant part of configuration:
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL 
> -j SNAT --to $DMZ_IP
> $IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL 
> -j SNAT --to $DMZ_IP
>
> What can I do except:
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL 
> -j SNAT --to $EXT_IP
> $IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL 
> -j SNAT --to $DMZ_IP
>
> Difference with above two is "$EXT_IP" in the first line. In that case 
> all works fine. But I need to hide ISP's IP from External World. I 
> need to show to others my own IPs only. It's the highest priority. 
> Again, may you help me to find an answer? Are there some "secret 
> commands" for IPTables to make NAT to ignore ingress interface to 
> de-NAT replies? For example, FreeBSD's PF can do correct "back" 
> translations independently from interface where reply-packet has come 
> on. Ubuntu has changed FreeBSD on the place of central router due to 
> rank of reasons (one of them is stability), but now I have big 
> trouble! :-)
>
> He-e-e-lp!...
>
> Kind regards,
> Ellad
> -- 
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: Iptables NAT with two external Interfaces

[Lloyd Standish]

On Thu, 03 May 2012 08:46:37 -0600, Ellad G. Yatsko <eyatsko@ngs.ru> wrote:

> Is anybody here? Does anybody hear me?  Did I break some rules if nobody answered,
> or was my question (or English) very difficult for understanding?  Excuse me please if I wrong!
>Kind regards,
> Ellad

Ellad,

I think 5.5 hours after your first post is much too soon to assume that nobody will answer.  You should be more patient.  People on this list are in diverse time zones; many may have been sleeping when you first posted, or may still be at work.

If after a couple of days nobody answers, then you might simplifying/clarifying/rewording, and perhaps include an ASCII network diagram, which makes it much easier for someone to quickly understand your situation.  But I don't think simply reposting the same request is proper "netiquette."

Remember that the people who answer questions here are busy people and any advice they give is a favor, not an obligation.

--
Lloyd

Re: Iptables NAT with two external Interfaces

[Humberto Jucá]

Hello,

It was quite confusing ... a diagram would greatly help.

1. What is the prefix size of your AS? (/24 or /20).
    If your IP block is "/20", you can make "/24" announcements per BGP peer.

2. The one link is based on static routing and the other by BGP? This
was confusing.

3. How was your routing table (fib)?
    route -n or ip route ls
    ip rule ls

4. Your firewall is configured to accept this asymmetric routing?

What exactly do you want?

2012/5/3 Ellad G. Yatsko <eyatsko@ngs.ru>:
> Hello!
>
> May you help me in one very specific issue?
>
> - I have Ubuntu router with several interfaces with Quagga/BGP working on
> it, and of course IPTables with NAT for internal users;
>
> - One interface is used to connect to ISP, it has ISP's IP-address. For
> definiteness it is 89.222.233.165. Ubuntu connects to ISP's network via this
> IP;
>
> - Another interface - DMZ with own IP-address (delegated by RIPE NCC) of own
> Autonomous System: 91.223.181.1;
>
> - DMZ is terminated on Cisco 2821 (one subinterface 91.223.181.2) šwhich is
> connected to second ISP (via second subinterface with IP from second ISP:
> 188.35.132.79).
>
> - There is specific routing: each of my "borders" marks a part of prefixes
> received from corresponding ISP by higher LocalPref: Ubuntu marks prefixes
> 0.0.0.0-127.0.0.0, and Cisco marks prefixes 128.0.0.0 up to 224.0.0.0.
> That is if destination IP is more than 128.0.0.0 Ubuntu prefers to send the
> current packet to directly connected ISP, if it is less than 128.0.0.0
> Ubuntu prefers što route the packet through DMZ. It is made to utilize both
> uplinks evenly.
> I need to explain one important detail: both of my ISPs are connected to the
> same higher-level ISP, which uses the only ISP from the pair of mine to
> direct incoming traffic into my AS. So there is no other opportunity to make
> balancing except egress traffic.
>
> - Ubuntu has internal interfaces to give to its internal users access to
> Internet. Internal users have "private" IPs which are "NATted" on external
> Ubuntu's interfaces.
>
> - Actually the question: with probability 50% a packet from internal users
> can be sent through one external Ubuntu's interface and reply can return
> through another. In that case NAT is not working. Here my relevant part of
> configuration:
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL -j SNAT
> --to $DMZ_IP
> $IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL -j SNAT
> --to $DMZ_IP
>
> What can I do except:
> $IPTABLES -t nat -A POSTROUTING -o $EXT_IF -s $INTERNAL -d $EXTERNAL -j SNAT
> --to $EXT_IP
> $IPTABLES -t nat -A POSTROUTING -o $DMZ_IF -s $INTERNAL -d $EXTERNAL -j SNAT
> --to $DMZ_IP
>
> Difference with above two is "$EXT_IP" in the first line. In that case all
> works fine. But I need to hide ISP's IP from External World. I need to show
> to others my own IPs only. It's the highest priority. Again, may you help me
> to find an answer? Are there some "secret commands" for IPTables to make NAT
> to ignore ingress interface to de-NAT replies? For example, FreeBSD's PF can
> do correct "back" translations independently from interface where
> reply-packet has come on. Ubuntu has changed FreeBSD on the place of central
> router due to rank of reasons (one of them is stability), but now I have big
> trouble! :-)
>
> He-e-e-lp!...
>
> Kind regards,
> Ellad
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at šhttp://vger.kernel.org/majordomo-info.html

Re: Iptables NAT with two external Interfaces

[Jan Engelhardt]

On Thursday 2012-05-03 17:06, Lloyd Standish wrote:

> On Thu, 03 May 2012 08:46:37 -0600, Ellad G. Yatsko <eyatsko@ngs.ru> wrote:
>
>> Is anybody here? Does anybody hear me?  Did I break some rules if nobody
>> answered,
>> or was my question (or English) very difficult for understanding?  Excuse me
>> please if I wrong!
>> Kind regards,
>> Ellad
>
> Ellad,
>
> I think 5.5 hours after your first post is much too soon to assume that nobody
> will answer.  You should be more patient.  People on this list are in diverse
> time zones; many may have been sleeping when you first posted, or may still be
> at work.

Well you can always get a support contract from diverse companies if you 
need things fast. ;)