Re: need help on multiple isp routing

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

could someone take a fresh look at my configuration and then tell me where from i took the wrong turn.
yes, outgoing packets take different routes/gateways based on a ip fwmark/iptables mark. at least i believe they do. but when i run an iftop session (one per each of ppp interfaces) i see that packets (with correct outgoing ip) going out and get replies only on ppp0, while ppp1 only send (outgoing ip'a also correct) and recieve but doesn't forward. some mistake i did in filter input/forward nat prerouting, huh? i don't get it... should i somehow mark incoming packets as well? i'm lost :( or drop packets from ppp0 on ppp1 and then ppp1 on ppp0? 

#!/bin/sh
PPP=(ppp0 ppp1)
IP=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $3}'` `ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $3}'`) GATEWAY=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $5}'` `ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $5}'`) 

route del default
ip route flush table auxiliary
ip route show table main | grep -Ev ^default \
       | while read ROUTE ; do
       ip route add table auxiliary $ROUTE
done
ip route add table auxiliary default via ${GATEWAY[1]} dev ${PPP[1]}
ip route add table main default via ${GATEWAY[0]} dev ${PPP[0]}
ip rule add fwmark 252 table auxiliary
ip rule add fwmark 254 table main

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ppp+ -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -i ppp1 -p tcp -m tcp --dport 55000:55500 -j ACCEPT
iptables -A INPUT -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i ppp1 -p tcp -m tcp --dport 4663 -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i ppp1 -p udp -m udp --dport 4673 -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 5000:5010 -j ACCEPT
iptables -A FORWARD -i ppp0 -p tcp -m tcp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ppp0 -p udp -m udp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.62 -j MARK --set-mark 252
iptables -t mangle -A PREROUTING -s 192.168.0.16 -j MARK --set-mark 254
iptables -t mangle -A PREROUTING -p icmp -m icmp -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos Minimize-Delay 
iptables -t mangle -A OUTPUT -p icmp -m icmp -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p udp -m udp --dport 123 -j TOS --set-tos Minimize-Delay iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to 192.168.0.16:4662 iptables -t nat -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4663 -j DNAT --to 192.168.0.62:4663 iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to 192.168.0.16:4672 iptables -t nat -A PREROUTING -i ppp1 -p udp -m udp --dport 4673 -j DNAT --to 192.168.0.62:4673 iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5000:5010 -j DNAT --to 192.168.0.16:5000-5010 iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 15402 -j DNAT --to 192.168.0.16:15402 iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 15402 -j DNAT --to 192.168.0.16:15402 iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp -s 192.168.0.16 --dport 80 -j DNAT --to 192.168.0.1:3128 
#iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.16 -j MASQUERADE
#iptables -t nat -A POSTROUTING -o ppp1 -s 192.168.0.62 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.16 -j SNAT --to ${IP[0]}
iptables -t nat -A POSTROUTING -o ppp1 -s 192.168.0.62 -j SNAT --to ${IP[1]} 
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux