2 WAN links and DNAT

"Benoit DELAGARDE" <benoit@xxxxxxxxxxxxxxxxxx> · Fri, 25 Nov 2005 13:32:44 +0100

Hi

Here is a short description of my network:

ppp0 (adsl)      ppp1 (adsl)
    |                |
    |                |
  ---------------------
  |      Router       |
  |     Firewall      |
  |     MASQUERAD     |
  |       DNAT        |
  |                   |
  |       eth0        |
  ---------------------
           |
           |
           |
  ----------------------
    |                 |
Local            Web and Mail 
Network             Server

I forward all incoming connection for http and SMTP to my server by using a
DNAT translation.
But I encounter a problem: All answer are routed to my default gateway
(ppp0)
If the connections come from ppp0 no problem, but if the connections come
from ppp1, the client never get answer.
I have de-activated rp_filtering but it seems that one of my providers use
this feature, and of course, this should be default gateway!

So I'm looking for a way to route the packets to the right interface.
Google gave my some solutions but no ones are working.

Here are my iptable
# Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
*filter
:INPUT DROP [2:184]
:FORWARD DROP [0:0]
:OUTPUT DROP [3:188]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -d 255.255.255.255 -i br0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i br0 -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -i br0 -p ! tcp -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j LOG
-A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j DROP
-A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j LOG
-A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j DROP
-A INPUT -d 255.255.255.255 -i ppp1 -j ACCEPT
-A INPUT -d 255.255.255.255 -i ppp0 -j ACCEPT
-A INPUT -d 213.41.177.180 -i ppp1 -j ACCEPT
-A INPUT -d 193.253.54.64 -i ppp0 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
1400:1536 -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 4662 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp1 -p udp -m udp --dport 4672 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 5500 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 5500 -j ACCEPT
-A FORWARD -d 192.168.1.5 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.5 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j
ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp1 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG
-A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP
-A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG
-A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o br0 -j ACCEPT
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o br0 -j ACCEPT
-A OUTPUT -d 224.0.0.0/240.0.0.0 -o br0 -p ! tcp -j ACCEPT
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP
-A OUTPUT -d 255.255.255.255 -o ppp1 -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o ppp0 -j ACCEPT
-A OUTPUT -s ipofppp1 -o ppp1 -j ACCEPT
-A OUTPUT -s ipofppp0 -o ppp0 -j ACCEPT
-A OUTPUT -j LOG
-A OUTPUT -j DROP
COMMIT
# Completed on Fri Nov 25 12:21:59 2005
# Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
*mangle
:PREROUTING ACCEPT [13497:7096745]
:INPUT ACCEPT [119515:10818662]
:FORWARD ACCEPT [2263653:1380696494]
:OUTPUT ACCEPT [3681:323141]
:POSTROUTING ACCEPT [2445397:1397479483]
-A PREROUTING -i ppp0 -m state --state NEW -j MARK --set-mark 0x1
-A PREROUTING -i ppp1 -m state --state NEW -j MARK --set-mark 0x2
-A PREROUTING -j CONNMARK --save-mark
-A POSTROUTING -j CONNMARK --restore-mark
COMMIT
# Completed on Fri Nov 25 12:21:59 2005
# Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
*nat
:PREROUTING ACCEPT [169:12721]
:POSTROUTING ACCEPT [339:27714]
:OUTPUT ACCEPT [279:22659]
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.100:4662
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.100:4662
-A PREROUTING -i ppp1 -p udp -m udp --dport 4672 -j DNAT --to-destination
192.168.1.100:4672
-A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to-destination
192.168.1.100:4672
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 5500 -j DNAT --to-destination
192.168.1.100:5500
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 5500 -j DNAT --to-destination
192.168.1.100:5500
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 666 -j DNAT --to-destination
192.168.1.5:22
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 666 -j DNAT --to-destination
192.168.1.5:22
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 667 -j DNAT --to-destination
192.168.1.4:22
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 667 -j DNAT --to-destination
192.168.1.4:22
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination
192.168.1.4:25
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
192.168.1.4:25
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 25 12:21:59 2005

And for my route table : 

~> ip rule
0:      from all lookup local
32764:  from all fwmark 0x2 lookup nerim
32765:  from all fwmark 0x1 lookup wanadoo
32766:  from all lookup main
32767:  from all lookup default

~> ip route list
80.10.246.1 dev ppp0  scope link
80.10.246.132 dev ppp0  scope link
62.4.16.245 dev ppp1  proto kernel  scope link  src 213.41.177.180
64.4.17.69 dev ppp1  scope link
64.4.16.70 dev ppp1  scope link
193.253.160.3 dev ppp0  proto kernel  scope link  src 193.253.54.64
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
default dev ppp1  scope link

~> ip route list table nerim
192.168.1.0 dev br0  scope link
default dev ppp1  scope link

~> ip route list table wanadoo
192.168.1.0 dev br0  scope link
default dev ppp0  scope link

I believe this should work but no.
tcpdump give me somthong like this : 

12:35:04.073949 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0
12:35:04.074092 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0
12:35:07.072874 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0
12:35:07.072997 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0

Witch mean that my packets are sent to the right server, but I never get an
answer.
All work when I delete the rule below
32764:  from all fwmark 0x2 lookup nerim
32765:  from all fwmark 0x1 lookup wanadoo

My questions are:
	- Did I make a mistake somewhere, or did I misunderstand
something(CERTAINLY)? Where?
	- What can I do to solve this problem?

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

2 WAN links and DNAT

Linux Advanced Routing and Traffic Control