Nelson
Not been having any problems with incoming DNAT
I'm using a bit different solution.
Noticed that the returning packets wanted to head for the correct
interface probably because of conntracking stuff. Problem was they would
be routed then the correct interface to whatever one was the default.
What I basically added rules that said if it's from an interfaces ip go
out that interface.
This is the setup for one of the isp interfaces:
IP="24.196.120.30"
NET="24.196.120.28"
LENGTH=30
ROUTER="24.196.120.29"
BRD="24.196.120.31"
ip link set $IFACE up
ip addr flush dev $IFACE
ip addr add $IP/$LENGTH brd $BRD dev $IFACE
ip rule add prio 201 from $NET/$LENGTH table isp2
ip route add default via $ROUTER dev $IFACE src $IP proto static table isp2
ip route append prohibit default table isp2 metric 1 proto static
# call something to fixup default route
/etc/network/defroute
Doing some simular tricks to get ipsec vpn works outgoing from the
firewall.
IP="192.168.2.254"
NET="192.168.2.0"
LENGTH=24
BRD="192.168.2.255"
ip link set $IFACE up
ip addr flush dev $IFACE
ip addr add $IP/$LENGTH brd $BRD dev $IFACE
#next is to make sure local 192.168. goes via eth0
ip rule delete prio 200 table 220
ip route del table 200
ip route add 192.168.0.0/16 via $IP dev $IFACE table 200
ip rule add prio 200 table 200
Nelson Castillo wrote:
I think I said something wrong in my last message.
You DNAT incoming packets and then SNAT them when
they come back if your Linux router has some server behind it.
I don't know if this is your case (having servers behind the router).
(I needed to top-post here --- maybe not).
On 7/28/05, Nelson Castillo <nelsoneci@xxxxxxxxx> wrote:
Hi John.
On 7/28/05, John McMonagle <johnm@xxxxxxxxxxx> wrote:
Find that if I ping the same site from 2 computers it may work on one
and fail on the other.
Also was surprised that some time they are going out different
interfaces at the same time.
Same symptoms I had.
Have snat on both interfaces
When you SNAT incoming packets, you need to do something different
from what is in the HOWTO ([4]) because SNAT is done before the
routing desition (check the Kernel Packet Traveling Diagram[5]).
I had the same problem [1]. The solution is to use conntrack and mark
packets on arrival, and then route them back using the fwmark[2].
There's no need to tell you I had a hard time with this. There should
be a warning about this in the HOWTO (in this page [4]).
The proposed solution I quote in [2] worked for me for the
multiple uplink providers + SNAT problem.
It is (Using the same variables that are in the HOWTO [4]):
1) Mark packages on arrival:
iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP1 -j
MARK --set-mark=1
iptables -t mangle -A PREROUTING -m conntrack --ctorigdst $IP2 -j
MARK --set-mark=2
And then use the mark to route the outgoing packages correctly.
ip rule add fwmark 1 table T1
ip rule add fwmark 2 table T2
Regards,
Nelson.-
PD : I solved my problem with IPVS and multiple uplink providers (see [3]).
[1] http://mailman.ds9a.nl/pipermail/lartc/2005q2/016171.html
[2] http://mailman.ds9a.nl/pipermail/lartc/2005q2/016441.html
[3] http://arhuaco.blogspot.com/2005/07/ipvs-and-conntrack.html
[4] http://lartc.org/howto/lartc.rpdb.multiple-links.html
[5] http://www.docum.org/docum.org/kptd/
--
Homepage : http://geocities.com/arhuaco
The first principle is that you must not fool yourself
and you are the easiest person to fool.
-- Richard Feynman.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
