My setup looks like this
1inet---(yy.yy.186.12)router---network 172.16.0.0/16
(xx.xx.251.73)
|
|
2inet
Router is doing masquerade. There was one link to internet. I need
to connect to some host in 172.16.0.0 network so I'm doing DNAT.
That was working quite well until second link to internet was added.
After adding ip rule to allow using both internet connections
from outside DNAT stopped working.
[root@xxxxxxx root]# ip rule
0: from all lookup local
32764: from yy.yy.186.12 lookup 10
32765: from all lookup main
32766: from all lookup main
32767: from all lookup default
[root@xxxxxxx root]# ip route show table main
[...]
172.16.100.2 dev eth1 proto kernel scope link src 172.16.100.1
172.16.0.0/12 via 172.16.100.2 dev eth1
default via xx.xx.251.73 dev eth0 onlink
[root@xxxxxxx root]# ip route show table 10
default via yy.yy.186.254 dev eth0
table main is used for routing through 2inet connection while
table 10 is used for routing through 1inet connection.
DNAT rules:
[root@xxxxxxx root]# iptables -L -n -t nat | grep ":22"
DNAT tcp --- 0.0.0.0/0 xx.xx.251.74 tcp dpt:11022 to:172.16.100.4:22
DNAT tcp --- 0.0.0.0/0 xx.xx.251.74 tcp dpt:12022 to:172.16.100.2:22
DNAT tcp --- 0.0.0.0/0 xx.xx.251.74 tcp dpt:10022 to:172.16.2.254:22
DNAT tcp --- 0.0.0.0/0 yy.yy.186.12 tcp dpt:11022 to:172.16.100.4:22
DNAT tcp --- 0.0.0.0/0 yy.yy.186.12 tcp dpt:12022 to:172.16.100.2:22
DNAT tcp --- 0.0.0.0/0 yy.yy.186.12 tcp dpt:10022 to:172.16.2.254:22
When I connect to ie. xx.xx.251.74:11022 or yy.yy.186.12:11022 then
I just get timeout. Packets seems not comming back :/ Without ip rules
everything works fine (but I can use only one inet connection then)
Any ideas?
--
Arkadiusz Miśkiewicz CS at FoE, Wroclaw University of Technology
arekmatssedotpl AM2-6BONE, 1024/3DB19BBD, arekm(at)ircnet, PLD/Linux
