RE: Ip route cache problem

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,
I need some help about a routing problem on a complex configuration.



The problem is that I can't reach from services outside from my DMZ.
The scenario is a gateway linked to three internet connections, so that I used three distinct iproute2 tables for routing. The gw is running ipvs for balancing over the dmz's servers. 


DMZ servers are on 192.168.1.0/24 network, .



Every table has the route to reach :
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1



I'm using iptables to NAT a server on my DMZ to reach DNS services outsides:
iptables -t nat -A POSTROUTING -p tcp -s 192.168.1.0/24 -d 151.99.0.100 --dport 53 -j SNAT --to-source 81.77.88.99 
Have u try to use DNAT from iptables because dnat is in PREROTING , and if u have a dns service u need to make the outside service connection to connect 2 your dns server !
Looking inside the cache I find only the route to reach the dns server, but not the one that the dns needs to reach my server: 
151.99.0.100 from 192.168.1.2 via 81.77.88.100 dev eth2  src 192.168.1.249
   cache <src-direct>  mtu 1500 advmss 1460 metric10 64 iif eth0
I experieced in the past that reentering the iptables nat command worked, but it seems a random effect and not always works. 

Thank's in advance,
Luca Maragnani



begin:vcard
fn:Popovici Ionut
n:Ionut;Popovici
org:ISP TOPALL SRL;IT & Network Administrator
adr:Bl.13;;Stefan cel Mare ;Roman;Neamt;5550;Romania
email;internet:ionut@xxxxxxxxx
title:Administrator
tel;work:+40-233-742419
tel;fax:+40-233-744881
tel;home:+40-233-720881
tel;cell:+40-746-251059
note;quoted-printable:.........................................................................=
	=0D=0A=
	Privileged/Confidential Information may be contained in this message. If=0D=0A=
	you are not the addressee indicated in this message (or responsible for=0D=0A=
	delivery of the message to such person), you may not copy or deliver this=
	=0D=0A=
	message to anyone. In such a case, you should destroy this message and=0D=0A=
	kindly notify the sender by reply e-mail. 
x-mozilla-html:FALSE
url:http://www.topall.ro
version:2.1
end:vcard


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux