One thing you might do if you use DNS, is to create views for hosts on the lan have a VIEW for them so they will resolve the internal IP. Looks like you should specify with your natting what interface the traffic is outbound on with -o eth1 or eth0 so that when it leaves eth2 it won't source nat Alexander W. Janssen (alexander.janssen@xxxxxx) wrote: > >Hi all, > >i got the following configuration: >* NET1: DSL Line with /28 network, let's call it 10.1.0.0/28 >* NET2: DSL Line with /28 network, let's call it 10.2.0.0/28 >* INTNET: Internal Network with productive servers and workstations, >192.168.1.0/24 >Obvisiously the 10er networks are official networks but censored to >protect my customer. >The routerbox assigns on eth0 all IP-addresses from NET1, same for eth1 >and NET2. The internal net is on eth2. >I've set up split-access routing like in the documentation, part "4.2.1. >Split access". Every productive server get's his own routingtable and it's >own SNAT/DNAT rule. Example is given for one server. ># Server 1, external 10.1.0.3, internal 192.168.1.2, table server1, ># default-gateway is 10.1.0.1 (DSL router) >ip route add $NET1 dev eth0 src 10.1.0.1 table server1 >ip route add $INTNET dev eth2 table server1 >ip route add default via 10.1.0.1 table server1 >ip rule add from 192.168.1.2 table server1 ># Now NAT0.1.0.3 - >iptables -t nat -A PREROUTING -d 10.1.0.3j DNAT --to 192.168.1.2 >iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --from 10.1.0.3 > >I do this for all server on alternating IP-adresses and lines. > >Eventually at the very end of the POSTROUTING-chain i got a catch-all SNAT >for all workstations in INTNET to get SNATed access to the internet (only >routed via one line): >iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --from 10.1.0.1 >(where 10.1.0.1 is a designated IP address only used for the workstations >- the server all got their own IP-address. >Works so far. > >Now my problem: If a workstation from the internal network, let's say, >wants to connect to the offical IP-address of one of the servers, it >doesn't work. >Let's say 192.168.1.212 wants to connect to 10.1.0.3. It goes through it's >default gateway 192.168.1.1, which is the only IP address assigned on >eth2, the internal interface. It hits the PREROUTING chain and gets DNATed >to 192.168.1.2. It hits routing code and is matched against "$INTNET dev >eth2" in table server1. It hits POSTROUTING and gets SNATed with 10.1.0.1, >the external, designated IP-address fo the router for the clients. It >should be pushed out on the internal interface. >The server receives the packet, processes it and sends back the answer to >the router. The packet hits PREROUTING (from 192.168.1.2 to 10.1.0.1, no >rule matches), hits routing-code and there is the problem i think. >Destined for local interface, don't route. BANG. >Is my observation at that point right? If yes, does somebody know how to >achieve my goal, that internal IPs can connect to the external IPs? The >term "CONNMARK" somehow popped up in my mind, but i haven't seen any >useful examples yet how to use it properly. >I hope i provided all necessary information; i know that "ip rule show" is >missing to check the precedences of rules, but i don't have access to the >system right now. >Any hint is appreciated, >thanks, >Alex. > > >_______________________________________________ >LARTC mailing list / LARTC@xxxxxxxxxxxxxxx >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > -- When dealing with a slow pipe, never underestimate the throughput of the postal system. _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
