On Mon, 1 Apr 2002 russ@essentialmix.ca wrote:
> Hey guys, can anyone comment on this if it is possible?
>
> My setup:
>
> Linux Box Cable
> _____ E0 _____
> | |_______|___|____
> | |
> | | DSL
> | | E1 _____
> | |_______|___|____
> |___|
>
>
> Hopefully everyone can interperet my diagram. Anyhow, I have an FTP
> server running off the Linux Box. The DNS resolves to Eth0 which is the
> NIC attached to the Cable modem provider and the default route is set to
> the Cable next-hop. Eth1 is attached to My Network. What I would like to
> happen is that all incoming FTP traffic to Eth0 will always return out
> Eth0 through the Cable ISP. Any other traffic will take the DSL provider
> via a default route to the DSL next-hop
>
> I can think of 2 ways to do this:
>
> 1) Mark FTP traffic and create a rule to set the next-hop to the Cable
> default route
>
> 2) Configure policy routing such that if traffic is destined to Eth0 IP
> address, the next-hop is set to the Cable provider.
The latter is better. :)
> Because there is a default route configured on the linux box to the Cable
> ISP, all return traffic regardless of the interface it was received on
> will always take the Cable ISP. I would prefer option #2. Can anyone
> shed some light on the config necessary to do this? This is pretty quick
> and dirty with policy routing on IOS, but I am struggling a little bit on
> the linux config. Thanks all!
Very well:
One creates two additional routing tables, say E0 and E1. These are added in
/etc/iproute2/rt_tables. Then you set up routing in these tables as follows:
ip route add $CABLE_GW dev eth0 src $IP_ETH0 table E0
ip route add default via $CABLE_GW table E0
ip route add $DSL_GW dev eth1 src $IP_ETH1 table E1
ip route add default via $DSL_GW table E1
Next you set up the main routing table. It is usually a good idea to route
things to the direct neighbour through the interface connected to that
neighbour. Note the `src' arguments, they make sure the right outgoing IP
address is chosen.
ip route add $CABLE_GW dev eth0 src $IP_ETH0
ip route add $DSL_GW dev eth1 src $IP_ETH0
ip route add $CABLE_NET via $CABLE_GW
ip route add $DSL_NET via $DSL_GW
Then, your preference for default route:
ip route add default via $DSL_GW
Next, you set up the routing rules, making sure that you route out a given
interface is you already have the corresponding source address:
ip rule add from $IP_ETH0 table E0
ip rule add from $IP_ETH1 table E1
This set of commands makes sure all answers to traffic coming in on a
particular interface get answered from that interface. I set something like
this up back in 1999 for my then-current employer to deal with a 'secure'
leased line and a cable-modem, with e-mail coming in over both lines...
Doei, Arthur. (Who just now realises that ftpd's may actually still play
havoc with this: set your server to passive-only, if you
can.)
--
/\ / | arthurvl@sci.kun.nl | Work like you don't need the money
/__\ / | A friend is someone with whom | Love like you have never been hurt
/ \/__ | you can dare to be yourself | Dance like there's nobody watching
