Re: need help on multiple isp routing

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

i finally made it! yeeee-ha! it works! the only thing i have to configure is how to make those 2 links to use their own DNS servers, as ISP's1 servers do not answer queries from ISP's2 ip address and vise versa. i run BIND (as caching and also for my local zone) on my router configured to forward requests to ISP's1 DNS servers. i really don't want to run 2 copies of BIND with forwarders of ISP2 as the only difference in configuration. would anybody come up with a more elegant solution on that issue? i'm sure it is not nice to specify both ISP's servers as forwarders for a single server as the server itself uses default gateway of ISP1. and then about services installed on a router machine itself - ftp, www. they do not seem to listen on ISP's2 ip. any solution besides configuring virtual servers?
here's my firewall script. i'd like if someone would correct me. especially on mangle table as i'm still not sure if i mark packets correctly. 

#!/bin/sh
PPP=(ppp0 ppp1)
IP=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $3}'` `ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $3}'`) GATEWAY=(`ifconfig ${PPP[0]}|sed -n 2p|column -s ":" -t|awk '{print $5}'` `ifconfig ${PPP[1]}|sed -n 2p|column -s ":" -t|awk '{print $5}'`) 

ip route flush table auxiliary
ip route show table main | grep -Ev ^default \
       | while read ROUTE ; do
       ip route add table auxiliary $ROUTE
done
ip route add table auxiliary default via ${GATEWAY[1]} dev ${PPP[1]}
ip rule add fwmark 0xfc table auxiliary

echo 0 > /proc/sys/net/ipv4/conf/${PPP[0]}/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/${PPP[1]}/rp_filter

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -A INPUT -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -i ${PPP[0]} -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ${PPP[1]} -p udp -m udp --dport 53 -j ACCEPT
iptables -A INPUT -i ${PPP[0]} -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ${PPP[0]} -p udp -m udp --dport 123 -j ACCEPT
iptables -A INPUT -i ${PPP[1]} -p tcp -m tcp --dport 55000:55500 -j ACCEPT
iptables -A INPUT -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp+ -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 4663 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 4672 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 4673 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 5000:5010 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p tcp -m tcp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ${PPP[0]} -p udp -m udp --dport 15402 -j ACCEPT
iptables -A FORWARD -i ${PPP[1]} -p tcp -m tcp --dport 15502 -j ACCEPT
iptables -A FORWARD -i ${PPP[1]} -p udp -m udp --dport 15502 -j ACCEPT
iptables -A FORWARD -i ppp+ -m state --state NEW,INVALID -j DROP
iptables -t mangle -A PREROUTING -s 192.168.0.59 -j MARK --set-mark 252 ### iptables -t mangle -A PREROUTING -p icmp -m icmp -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp -m udp --sport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A PREROUTING -p udp -m udp --sport 123 -j TOS --set-tos Minimize-Delay 
iptables -t mangle -A INPUT -i ${PPP[1]} -j MARK --set-mark 252
#iptables -t mangle -A FORWARD -d 192.168.0.59 -j MARK --set-mark 252
iptables -t mangle -A OUTPUT -o ${PPP[1]} -j MARK --set-mark 252
iptables -t mangle -A OUTPUT -p icmp -m icmp -j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 0:128 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK ACK -m length --length 128: -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 20 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 21 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 22 -j TOS --set-tos Minimize-Delay iptables -t mangle -A OUTPUT -p udp -m udp --dport 53 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -j TOS --set-tos Maximize-Throughput iptables -t mangle -A OUTPUT -p udp -m udp --dport 123 -j TOS --set-tos Minimize-Delay 
iptables -t mangle -A POSTROUTING -s 192.168.0.59 -j MARK --set-mark 252
iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 4662 -j DNAT --to 192.168.0.16:4662 iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 4663 -j DNAT --to 192.168.0.62:4663 iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 4672 -j DNAT --to 192.168.0.16:4672 iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 4673 -j DNAT --to 192.168.0.62:4673 iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 5000:5010 -j DNAT --to 192.168.0.16:5000-5010 iptables -t nat -A PREROUTING -i ${PPP[0]} -p tcp -m tcp --dport 15402 -j DNAT --to 192.168.0.16:15402 iptables -t nat -A PREROUTING -i ${PPP[0]} -p udp -m udp --dport 15402 -j DNAT --to 192.168.0.16:15402 iptables -t nat -A PREROUTING -i ${PPP[1]} -p tcp -m tcp --dport 15502 -j DNAT --to 192.168.0.59:15502 iptables -t nat -A PREROUTING -i ${PPP[1]} -p udp -m udp --dport 15502 -j DNAT --to 192.168.0.59:15502 iptables -t nat -A PREROUTING -i eth2 -p tcp -m tcp -s 192.168.0.16 --dport 80 -j DNAT --to 192.168.0.1:3128 
iptables -t nat -A POSTROUTING -o ${PPP[1]} -s 192.168.0.59 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ${PPP[0]} -s 192.168.0.0/26 -j MASQUERADE 
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux