Ooops .. Sorry, i havent read the entire email sent to the list by Bobic. My mistake. Bobic having the problem similar to what i got with one of my server running kernel-2.4.20. All the interface i have are under the same brand (Realtek), eth0 would be for clients, eth1 for DSLCable, eth2 for Wireless 2.4Ghz. Weirdly, several of my clients set up correctly to use both eth1 and eth2, but there are many clients having the wrong route packets just as Bobic. This problem can be solved if i change to use SNAT instead of MASQUERADE. Try it Bobic. This Masquerade problem didnt appeared under my Linux 2.4.21 Regards, Rio Martin. On Monday 05 January 2004 09:04, Rio Martin wrote: > Dear Bobic, > I am sure you havent read Lartc Document clearly. > Find inside the document, "iproute2" > Those are clue for setting up local area network to connect using two or > more connections to ISP. > > Regards, > Rio Martin. > > On Wednesday 31 December 2003 23:49, Gordan Bobic wrote: > > Hi. > > I have a networking problem that is driving me nuts at the moment. I > > have a multi homed network: Cable + DSL. > > The problem I have is that although I am 99% sure that I have the > > routing table rules set up correctly, for some reason > > masqueraded/NATed traffic doesn't go out of the correct interface. > > i.e. I am getting traffic leaving eth2 with the source IP header set > > to eth3 and vice versa. > > There are 3 network interfaces: > > eth0 (internal) > > eth2 (DSL) > > eth3 (Cable) > > (eth1 is unused at present) > > > > Here is my iptables setup (/etc/sysconfig/iptables): > > ################################ > > # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003 > > *nat > > > > :PREROUTING ACCEPT [0:0] > > > > # Port forwarding to an internal machine > > -A PREROUTING -i eth2 -d 217.79.103.2 -p tcp -m tcp --dport 18001 -j > > DNAT --to-destination 192.168.0.10:18001 > > -A PREROUTING -i eth3 -d 62.252.21.17 -p tcp -m tcp --dport 18001 -j > > DNAT --to-destination 192.168.0.10:18001 > > # SSH Port Forwarding > > -A PREROUTING -i eth2 -d 217.79.103.3 -p tcp -m tcp --dport 22 -j DNAT > > --to-destination 192.168.0.10:22 > > > > :POSTROUTING ACCEPT [0:0] > > > > # IP Masquerading Traffic From eth2 and eth3 > > -A POSTROUTING -o eth2 -j MASQUERADE > > -A POSTROUTING -o eth3 -j MASQUERADE > > > > :OUTPUT ACCEPT [0:0] > > > > COMMIT > > # Completed on Sat Dec 27 10:47:54 2003 > > # Generated by iptables-save v1.2.7a on Sat Dec 27 10:47:54 2003 > > *filter > > > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > > > -A FORWARD -i eth0 -o eth2 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > -A FORWARD -i eth0 -o eth3 -s 192.168.0.0/16 -d 0.0.0.0/0 -m state > > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > -A FORWARD -i eth2 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state > > --state ESTABLISHED,RELATED -j ACCEPT > > -A FORWARD -i eth3 -o eth0 -s 0.0.0.0/0 -d 192.168.0.0/16 -m state > > --state ESTABLISHED,RELATED -j ACCEPT > > > > :OUTPUT ACCEPT [0:0] > > > > COMMIT > > # Completed on Sat Dec 27 10:47:54 2003 > > ################################### > > > > Additionally, here is the script I use to set up the multi homed > > routing: > > > > #################################### > > # Add ip rules for routing > > ip rule add from 217.79.103.0/29 table Griffin > > ip rule add from 62.252.21.17 table NTL > > > > # Add routing rules for specific interfaces to insure connectivity > > ip route add to default via 217.79.103.1 dev eth2 table Griffin > > ip route add to default via 62.252.21.254 dev eth3 table NTL > > > > ip route add to 217.79.103.0/29 dev eth2 table Griffin > > ip route add to 62.252.21.0/24 dev eth3 table NTL > > > > # Default route is multi homed > > ip route add to default \ > > nexthop via 217.79.103.1 dev eth2 weight 1 \ > > nexthop via 62.252.21.254 dev eth3 weight 1 > > > > # Commit routing changes > > ip route flush cache > > ############################# > > > > However, looking at tcpdump output from eth2: > > 11:19:27.153771 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > > 217.81.134.183.57626: R 0:0(0) ack 2502579442 win 0 (DF) > > 11:19:30.212427 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > > 217.81.134.183.57626: R 0:0(0) ack 1 win 0 (DF) > > 11:20:23.928900 cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com.18001 > > > 217.81.134.183.58367: R 0:0(0) ack 2551899092 win 0 (DF) > > > > This is wrong because cpc4-cbly1-3-0-cust17.glfd.cable.ntl.com is > > 62.252.21.17, which is the IP address of eth3. > > > > Similarly, tcpdump from eth3 says things like: > > 11:18:32.787404 217.79.103.2.adsl.griffin.net.uk.18001 > > > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 4066315873 win 0 (DF) > > 11:18:35.683228 217.79.103.2.adsl.griffin.net.uk.18001 > > > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF) > > 11:18:41.744790 217.79.103.2.adsl.griffin.net.uk.18001 > > > p50811062.dip.t-dialin.net.33062: R 0:0(0) ack 1 win 0 (DF) > > > > This is again wrong, because 217.79.103.2.adsl.griffin.net.uk is the > > IP address of eth2. > > > > I am pretty sure the IP rules I set up should work. They assign all > > packets with source IP of a particular interface to a routing table > > that is routed out via the correct gateway. However, some packets > > (from what I have been able to tell, only the masqueraded packets, > > but the test was not exhaustive) get sent out of the wrong interface. > > > > Can anybody see a problem with this setup? > > > > TIA. > > > > Gordan > > _______________________________________________ > > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
