Hello Thad,
[ I'm sending this to the LARTC list for the benefit of others; Thad and I
had a few exchanges offlist, but I thought the list might benefit from
this exchange. It's more on the issue of handling multiple Internet
links for inbound connections. ]
: 64.xxx.xxx.1/25 66.xxx.xxx.129/26
:
: | |
:
: #################################################
: # Eth2 64.xxx.xxx.2 eth0 66.xxx.xxx.130 #
: # eth2:1 64.xxx.xxx.3 eth0:1 66.xxx.xxx.131 #
: # eth1 192.168.xxx.1 #
: #################################################
: |
: 192.168.xxx.0/24
[ lots of other unrelated stuff snipped ]
: Consider also taking advantage of the conntrack match on the PREROUTING
: chain to catch anything with ctorigdst of an IP on link 1 and using
: fwmark (-j MARK --set-mark 1) along with routing based on fwmark.
OK! Here's what I mean... I'll assume the following:
internal server: 192.168.122.1 $intserver
external IP T1: 64.81.128.17 $ip_t1
external IP T2: 66.92.124.18 $ip_t2
Assuming that you wish for both of these public IPs to redirect to
internal IP on server 192.168.122.1, here's what I'd suggest. Be
forewarned, I have never done this myself before, although I have done
many things very similar. Regardless, you may have a bit of tweaking and
testing to do once you have this basic configuration in place.
- kernel which supports routing by fwmark (CONFIG_IP_ROUTE_FWMARK=y)
(What distribution are you using?)
- completely "normal" main routing table, along with your preferred
default route
- routing table T1 with routes to the internal network, the local
networks, and a default route through provider on T1
- routing table T2 with routes to the internal network, the local
networks, and a default route through provider on T2
- iptables rules as follows:
iptables -t PREROUTING -i $if_t1 -d $ip_t1 -j DNAT --to-dest $intserver
iptables -t PREROUTING -i $if_t2 -d $ip_t2 -j DNAT --to-dest $intserver
- These two rules (above) handle the DNAT to get the packets addressed
correctly for your LAN.
iptables -t nat -I PREROUTING -i $internal -s $intserver \
--match conntrack --ctorigdst $ip_t1 -j MARK --set-mark 1
iptables -t nat -I PREROUTING -i $internal -s $intserver \
--match conntrack --ctorigdst $ip_t2 -j MARK --set-mark 2
- These two rules (above) put a mark (meta-data) on the packet as it
travels through the firewall. Any packet which was originally
destined for $ip_t1 will be marked with fwmark 1. Any packet
originally destined for $ip_t2 will be marked with fwmark 2. Note
that this happens in the PREROUTING table.
- And finally, the magic routing rules:
ip rule add from $intserver fwmark 1 table T1
ip rule add from $intserver fwmark 2 table T2
[ more stuff snipped ]
I am hoping that somebody else on the LARTC list has tried this and lived
through the pitfalls of using conntrack in this fashion--perhaps somebody
can even point out if I'm leading you down the wrong path.
I'll include some comments below for posterity.....
: These are added in /etc/iproute2/rt_tables
: ip route add 64.xxx.xxx.0/25 dev eth2 src 64.xxx.xxx.2 table T1
: ip route add default via 64.xxx.xxx.1 table T1
: ip route add 66.xxx.xxx.0/26 dev eth0 src 66.xxx.xxx.130 table T2
: ip route add default via 66.xxx.xxx.129 table T2
Actually, /etc/iproute2/rt_tables is not a script which gets excuted, but
rather a mapping of route table names to numbers. It usually looks
something more like this:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
[ snip ]
: routing rules
: ip rule add from 64.xxx.xxx.2 table T1
: ip rule add from 64.xxx.xxx.130 table T2
The second of these rules looks wrong....did you really mean to have that
be 64.xxx.xxx.130? Shouldn't that have been 66.xxx.xxx.130? Even so, you
could actually use the following. See also the nano HOWTO for more detail
[0].
[ snip ]
: I run web servers behind this firewall and will be using split route as
: a transition tool from old circuit to new circuits I also may keep eth0
: network haven't decided yet.
So, if I understand correctly, you want to have the internal webserver(s)
reachable on both T1 links simultaneously. There are two solutions. The
first involves fully separate sets of IPs from inside to outside [1]. The
other option is to take advantage of the iptables conntrack match module.
See a partial example here [2], although any fairly recent iptables will
have conntrack, and you can look at the options and probably figure out
how to make it work.*
: On each wan interface I am running alias' as referenced in the above
: diagram eth2:1, eth2:2 and so on where do these need to be specified in
: my above rule set is there a way to just set the route via interface
: instead of specifying each ip?
And another note about "aliased interfaces". These don't really exist as
far as the kernel is concerned. To see what I mean, simply do the
following:
# ip addr show dev eth2
The "label eth2:1" parameter on addresses other than the first address are
used for compatibility with ifconfig. See also [3].
[ snip ]
Best of luck,
-Martin
[0] http://www.ssi.bg/~ja/nano.txt
[1] http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound
[2] http://mailman.ds9a.nl/pipermail/lartc/2003q2/008173.html
[3] http://linux-ip.net/html/tools-ip-address.html#ex-tools-ip-address-del
* snipped from "/sbin/iptables -m conntrack --help"
conntrack match v1.2.7a options:
[!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|SNAT|DNAT][,...]
State(s) to match
[!] --ctproto proto Protocol to match; by number or name, eg. `tcp'
--ctorigsrc [!] address[/mask]
Original source specification
--ctorigdst [!] address[/mask]
Original destination specification
--ctreplsrc [!] address[/mask]
Reply source specification
--ctrepldst [!] address[/mask]
Reply destination specification
[!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED][,...]
Status(es) to match
[!] --ctexpire time[:time] Match remaining lifetime in seconds against
value or range of values (inclusive)
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
