Source routing two services in the intranet

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Hi.

  A few months ago I  asked the list about source routing and got a nice
  solution by Martin Brown. Thanks a lot for the help Martin Brown. Actually my 
  problem now is related to the one before and so i think it is useful to 
  rewrite it here:
  
  Quoting Martin
  
  - private (rfc1918) internal network with services published to the
    world
  - two public networks
  - a single service (in the internal network) which should be reachable
    on an IP in each public network
    
  Solution:
  
  The key to the general solution of this problem is to use separate pairs
  of IPs for the entire path from the outside world to the internal network.
  The internal service (e.g., webserver) must host two IP addresses.  One IP
  address can be reached via DNAT from public network 1 and the other IP
  address can be reached via DNAT from the other network.
  
  
  
    The detailed solution can be looked up here:
    
   http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound
 namely,
 
    
   
[root@masq-gw]#ip route add nat 67.17.28.10 via 192.168.100.10
[root@masq-gw]# ip rule add nat 67.17.28.10 from 192.168.100.10 table 4
[root@masq-gw]# ip route add nat 205.254.211.17 via 192.168.100.17
[root@masq-gw]# ip rule add nat 205.254.211.17 from 192.168.100.17
[root@masq-gw]# ip rule show
0:      from all lookup local 
32765:  from 192.168.100.17 lookup main map-to 205.254.211.17
32765:  from 192.168.100.10 lookup 4 map-to 67.17.28.10
32766:  from all lookup main 
32767:  from all lookup 253
[root@masq-gw]# ip route show table local | grep ^nat
nat 205.254.211.17 via 192.168.100.17  scope host 
nat 67.17.28.10 via 192.168.100.10  scope host

 This solution above has a drawback. If i have  to provide a different service
 on a different computer in the internal network I can't, since every package
 that reaches the linux router is being redirected to the same computer in the
 internal network. Assume that besides the web service in  
 192.168.100.10-192.168.100.17 (IP alias used here) we want to to provide ssh   
 service on 192.168.100.20-192.168.100.21 and want to source routing both    
 services in the linux. I believe that to solve this i need to operate with  
 iptables and iproute together and DNAT the requests according to the port it is  
 addressed to. It seems that iproute by itself  cannot do that. But to  
 accomplish this i thing that a solid knowledge of how the packages traverse the 
 kernel is necessary and that is what
 I am not sure about. So I would really appreciate if anyone could help me write
 the iptables and iproute rules for the example just mentioned. That would be a
 great help.
    Thanks a lot for your attention,
    
    
      
                              Aldrovando Araújo
    

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux