From: Bill Davidsen <davidsen@tmr.com>
To: netfilter@lists.netfilter.org
Subject: Fairly complex multi-ISP firewall/router problem
Date: Fri, 02 Apr 2004 15:57:03 -0500 [thread overview]
Message-ID: <c4kjrg$lqm$1@gatekeeper.tmr.com> (raw)
I am trying to set up a single Linux router, RH9.0, for a non-profit I
am supporting with some free consulting. They have two ISP lines, each
of which has a three bit CIDR block, and an internal network.
Part one:
I want to have an IP for each of the services, mail and http, on each
ISP, so that is DSL is down I can use cable, and vice-versa. I will do
NAT in the firewall, and forward the packets to the actual server.
Eventually the servers will move to a DMZ after the other stuff settles
down.
The problem is that a packet can come from any IP outside, and when the
reply packet is sent out, it may go out either NIC. And that's the root
of the problem, getting the source IP to match the NIC. I've added rules
to the mangle table to MARK the packets, that just doesn't seem to work
reliably.
I want very much to do this without patching the kernel, I have two
patches which seem to solve the problem on other systems, but
maintaining a patched kernel long term is really undesirable, and makes
it hard to turn over the job in the future.
All I want to do is send packets out the interface which matches the
source IP, and I don't think there's any reasonable way to get there
without patches or BSD.
Yes, I know about the lartc docs, nano.txt and several other things. The
problem is that the marks don't reliably WORK, routing by destination IP
is being used in some cases (but not all, which is really odd).
--
bill davidsen <davidsen@tmr.com>
CTO TMR Associates, Inc
Doing interesting things with small computers since 1979
next reply other threads:[~2004-04-02 20:57 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-04-02 20:57 Bill Davidsen [this message]
2004-04-02 21:06 ` Fairly complex multi-ISP firewall/router problem Antony Stone
2004-04-03 3:24 ` Bill Davidsen
2004-04-02 21:32 ` Cedric Blancher
2004-04-02 21:36 ` John A. Sullivan III
2004-04-02 21:50 ` Antony Stone
2004-04-02 22:07 ` Joe Thompson
2004-04-03 3:17 ` Bill Davidsen
2004-04-13 9:29 ` Tarek W.
-- strict thread matches above, loose matches on Subject: below --
2004-04-02 23:45 Daniel Chemko
2004-04-03 3:31 ` Bill Davidsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='c4kjrg$lqm$1@gatekeeper.tmr.com' \
--to=davidsen@tmr.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox