I have two Linux (RH v9) routers connected to the Internet (separate DSL
connections), each with two EtherNet cards.
Router #1 has static IP address "a.a.a.1" for the internal LAN,
and static IP address "x.x.x.x" for the Internet
connection; here's what the "route command shows:
Kernel IP routing table
Destination Gateway
Genmask Flags Metric
Ref Use Iface
x.x.x.0 0.0.0.0
255.255.255.0 U
0
0 0 eth1
a.a.a.0 0.0.0.0
255.255.255.0 U
0
0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0
U 0
0 0 eth1
127.0.0.0 0.0.0.0
255.0.0.0 U
0
0 0 lo
0.0.0.0 x.x.x.1
0.0.0.0
UG 0
0 0 eth1
Router #2 has static IP address "a.a.a.2" for the internal
LAN, and DHCP IP address "y.y.y.y" for the Internet
connection; here's what the "route command shows:
Kernel IP routing table
Destination Gateway
Genmask Flags Metric
Ref Use Iface
y.y.y.0 0.0.0.0
255.255.255.0 U
0
0 0 eth1
a.a.a.0 0.0.0.0
255.255.255.0 U
0
0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0
U 0
0 0 eth1
127.0.0.0 0.0.0.0
255.0.0.0 U
0
0 0 lo
0.0.0.0 y.y.y.1
0.0.0.0
UG 0
0 0 eth1
This works, but since router #1 has several server daemons running
(HTTP, DNS, etc), and since router #2 is the default gateway for internal
hosts on the a.a.a.0/24 network, any access to servers on router #1 goes
out through router #2 and the Internet in order to get to router #1 (and
similarly to get back); this is a performance hit due to the
(relatively) slow outbound DSL speeds (128Kbit/s) involved.
So, I decided to add a "shortcut" route on router #2:
"route add x.x.x.x eth0"; here's what the
"route command now shows:
Kernel IP routing table
Destination Gateway
Genmask Flags Metric
Ref Use Iface
x.x.x.x 0.0.0.0 255.255.255.255
UH 0
0 0 eth0
y.y.y.0 0.0.0.0
255.255.255.0 U
0
0 0 eth1
a.a.a.0 0.0.0.0
255.255.255.0 U
0
0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0
U 0
0 0 eth1
127.0.0.0 0.0.0.0
255.0.0.0 U
0
0 0 lo
0.0.0.0 y.y.y.1
0.0.0.0
UG 0
0 0 eth1
This solves the performance problem for accessing servers on router
#1, BUT now any access initiated from router #1 to router #2 fails.
I added logging entries in the "mangle" table for
"iptables", and it shows the packets from router #2 to router
#1 getting through the "PREROUTING" stage, but no
further. If I remove the added route, access from #2 to #1 works
AND I see the packets getting beyond the "PREROUTING" stage to
either the "INPUT" or "FORWARD" stages. Note
that when testing this, there is nothing in the "filter" or
"nat" tables.
Now, I can solve this by a reciprocal "route add y.y.y.y
eth0" on router #1 (which works). However, y.y.y.y is a
DHCP address from my ISP, so that's only a temporary fix until the IP
address changes.
My big question is to really understand what is going on. Here is
the iptables/routing diagram I got from Rusty's documentation:
--->PRE--->[ROUTE]-->FWD-------->POST---->
Conntrack | Mangle
^ Mangle
Mangle
| Filter | NAT (Src)
NAT (Dst)
|
| Conntrack
(QDisc)
| [ROUTE]
v
|
IN Filter OUT Conntrack
| Conntrack ^ Mangle
| Mangle | NAT (Dst)
v
| Filter
Why is the routing code apparently dropping the packets from router
#1 to router #2 (but only for connections initiated from #1)?
-- Dean
