>-----Original Message----- >From: Arthur van Leeuwen [mailto:arthurvl@sci.kun.nl] >Sent: Thursday, September 26, 2002 5:28 AM >To: David H. Lynch Jr. >Cc: 'lartc Mailing List' >Subject: Re: Help: Multiple internet connections >> However I have problems with the servers/services that are being >> DNATed to behind the firewall. >Not so good. >[snip] >> It is my guess that the inbound packet manages its way to my server >> just fine, but on the return trip it decides to head back out the >> cable modem as that is the best route back to the client, and since >> the client sees a response coming from the wrong source it discards >> it, but I could easily be wrong. >No, you are most probably right. Unfortunately, there is no real solution to your problem, for as soon as the packet has >ben DNATed to the service behind the firewall you lose all information as to which route the packet took to get to >your firewall. This means that any return packet can only take the `obvious' short route directly to the remote machine, >and not the less-obvious route the long way round but with the correct source address. >> I believe I am only having problems with DNATed services behind the >> firewall, and I believe it is only when the client is local to the >> external interface opposite the one they are coming in on. But I could >> easily be wrong. regardless the problem is most ly reproducible - >> though it has been know to go away for days at a time on its own, and >> mostly limited to a small subset of all clients. >Sounds as if there's routes flapping for a subset of your clients. >I can see only one real solution: have some sort of application-level proxies run on your firewall host to plug the >connections through to the services behind it. One way to do so would be to use socks in listening mode. >Another would be to use netcat... >Doei, Arthur. Trying to grok the interrelations between IPTABLES and routing has given me a headache. I guess I am not as sharp as I used to be. I am also having a hard time getting a complete handle on what "stateful" really means. But I am gathering that this is a routing problem caused as a side effect of DNATing a connection. If IPTABLES is "stateful" does that mean that if I MARK a packet that the return packet is also marked ? If that were the case I could mark the Inbound packets from one interface and use iproute to select the right routing table for the return packets. Alternatively, if I set the servers behind the firewall up with two IP's and DNATed to a different one depending on the incoming interface shouldn't I be able to chose an outgoing routing table based on the source IP of the return packet ? Finally what is a flapping route ? This problem would make allot more sense to me if it were consistent. Thank you. Just having a second opinion that I am on the right track helps allot. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
