guillaume wrote:
Robert Kurjata wrote:
In a first time no,Hello guillaume,
Saturday, September 4, 2004, 12:44:04 PM, you wrote:
g> guillaume wrote:
Robert Kurjata wrote:
Cytowanie guillaume <guillaume.riviere@xxxxxxxxxx>:
Dear all Lartc,
I try to split my Internet access to my 2 ISP with 1 linux (GNU/Debian sarge) 3 NIC router,
I want all my users conneted with ISP1 and just some IP connected
with ISP2
Here is my configuration:
[cut out a part]
I would suggest slight change in fw rules below
# special rules for some IPs to go on second ISP iptables -t mangle -A PREROUTING -s 10.117.71.1 -j MARK --set-mark 34
# SNAT RULES
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 1.2.3.4 iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 5.6.7.8
and trying the script below. It was taken from my Multipath/Policy routing case by wipeing out a multipath part, so its is lsightly too much, but I suppose (I didn't check) it should work. It is supposed to seamlesly integrate with multipath routing that's why so big, the idea behind is: 1. remove default routing from main table, 2. take care of routing from correct interface (correctness of source IP/ source interface pair), 3. policy routing of selected clients (table 210) 4. default routing of the others (table 211) Of course you can leave it for the main table, but for the sake of example i left it this way.
Hope it can help.
[cut out a part]
Dear Robert,
I try this script (adapted for my network) and I get the same problem:
All my IP routed on my first ISP, no problem
With my 10.117.71.1 routed on my second ISP,
I can connect to my ISP network (I can connect to the gateway website
on 5.6.7.9) but
I cannot ping any external IP addresses.
g> I also test a DNAT rule to access to my internal network with my second
g> ISP external
g> IP ... And it works fine, no problem ...
g> iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT
g> --to 10.117.71.2:80 # my web server
g> I don't know how to make this work for Inside -> outside connection ...
g> Guillaume
g> _______________________________________________
g> LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
g> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Of course I have the patches from Julian Anastasov applied http://www.ssi.bg/~ja/#routes , maybe that's the point
but now, yes I have apply the routes-2.6.8-10.diff find on http://www.ssi.bg/~ja/#routes-2.6 <http://www.ssi.bg/%7Eja/routes-2.6.8-10.diff>
by patch "patch -p1 < route-2.6.8-10.diff" there is no differences ...
I could not access to Internet with our without the pach,
How can I be sure that this pach is on my current kernel ?
I will try to re-apply the pach and recompile my kernel.
Thank you, Guillaume _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
In fact, now, I am very close to the solution,
I try this:
ip rule add from 10.117.71.190 lookup 5 ip route add 10.117.71.0/24 via 10.117.71.1 dev eth0 table 5 ip route add 0/0 via 5.6.7.9 dev eth2 table 5
And, it works (with of course the corresponding POSTROUTING nat rule on eth2) !
I can access to showmyip.com from 10.117.71.190
and the web site show me 5.6.7.8 ...
I do not see where is the problem with:
ip rule add fwmark 5 table 5
It's not working with the packet MARK ....
Now I have a solution, I search for this just because i would like to know why with fwmark packet it's not working
Guillaume _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/