Ho I forget important information: I use a Debian stable with iptables v1.2.11 (from deb package) and a kernel 2.6.14.2 (recompiled) I just try another approach, without success. I try to use the conntrack but it seems not working too. -A PREROUTING -m conntrack --ctorigdst 193.253.54.64 -j MARK --set-mark 0x1 -A PREROUTING -m conntrack --ctorigdst 213.41.177.180 -j MARK --set-mark 0x2 Idem with CONNMARK (corrected in the right order) -A PREROUTING -j CONNMARK --restore-mark -A PREROUTING -m mark ! --mark 0x0 -j ACCEPT -A PREROUTING -i ppp0 -j CONNMARK --set-mark 0x1 -A PREROUTING -i ppp1 -j CONNMARK --set-mark 0x2 -A PREROUTING -j CONNMARK --save-mark These 2 samples don't match my outgoing DNATed packets. I have made test with tcpdmp on my 2 ppp interfaces. Each time, the outgoing packets get through the default gateway, like the packets are not marked. > -----Message d'origine----- > De : lartc-bounces@xxxxxxxxxxxxxxx [mailto:lartc-bounces@xxxxxxxxxxxxxxx] > De la part de Benoit DELAGARDE > Envoyé : vendredi 25 novembre 2005 13:33 > À : lartc@xxxxxxxxxxxxxxx > Objet : 2 WAN links and DNAT > > Hi > > Here is a short description of my network: > > ppp0 (adsl) ppp1 (adsl) > | | > | | > --------------------- > | Router | > | Firewall | > | MASQUERAD | > | DNAT | > | | > | eth0 | > --------------------- > | > | > | > ---------------------- > | | > Local Web and Mail > Network Server > > > I forward all incoming connection for http and SMTP to my server by using > a > DNAT translation. > But I encounter a problem: All answer are routed to my default gateway > (ppp0) > If the connections come from ppp0 no problem, but if the connections come > from ppp1, the client never get answer. > I have de-activated rp_filtering but it seems that one of my providers use > this feature, and of course, this should be default gateway! > > So I'm looking for a way to route the packets to the right interface. > Google gave my some solutions but no ones are working. > > > Here are my iptable > # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 > *filter > :INPUT DROP [2:184] > :FORWARD DROP [0:0] > :OUTPUT DROP [3:188] > -A INPUT -i lo -j ACCEPT > -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG > -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP > -A INPUT -d 255.255.255.255 -i br0 -j ACCEPT > -A INPUT -s 192.168.1.0/255.255.255.0 -i br0 -j ACCEPT > -A INPUT -d 224.0.0.0/240.0.0.0 -i br0 -p ! tcp -j ACCEPT > -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j LOG > -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j DROP > -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j LOG > -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j DROP > -A INPUT -d 255.255.255.255 -i ppp1 -j ACCEPT > -A INPUT -d 255.255.255.255 -i ppp0 -j ACCEPT > -A INPUT -d 213.41.177.180 -i ppp1 -j ACCEPT > -A INPUT -d 193.253.54.64 -i ppp0 -j ACCEPT > -A INPUT -j LOG > -A INPUT -j DROP > -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss > 1400:1536 -j TCPMSS --clamp-mss-to-pmtu > -A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 4662 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp1 -p udp -m udp --dport 4672 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 5500 -j ACCEPT > -A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 5500 -j ACCEPT > -A FORWARD -d 192.168.1.5 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 192.168.1.5 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 80 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 25 -j ACCEPT > -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT > -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j > ACCEPT > -A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp1 -j ACCEPT > -A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp0 -j ACCEPT > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG > -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP > -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG > -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP > -A FORWARD -j LOG > -A FORWARD -j DROP > -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -o lo -j ACCEPT > -A OUTPUT -d 255.255.255.255 -o br0 -j ACCEPT > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o br0 -j ACCEPT > -A OUTPUT -d 224.0.0.0/240.0.0.0 -o br0 -p ! tcp -j ACCEPT > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG > -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP > -A OUTPUT -d 255.255.255.255 -o ppp1 -j ACCEPT > -A OUTPUT -d 255.255.255.255 -o ppp0 -j ACCEPT > -A OUTPUT -s ipofppp1 -o ppp1 -j ACCEPT > -A OUTPUT -s ipofppp0 -o ppp0 -j ACCEPT > -A OUTPUT -j LOG > -A OUTPUT -j DROP > COMMIT > # Completed on Fri Nov 25 12:21:59 2005 > # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 > *mangle > :PREROUTING ACCEPT [13497:7096745] > :INPUT ACCEPT [119515:10818662] > :FORWARD ACCEPT [2263653:1380696494] > :OUTPUT ACCEPT [3681:323141] > :POSTROUTING ACCEPT [2445397:1397479483] > -A PREROUTING -i ppp0 -m state --state NEW -j MARK --set-mark 0x1 > -A PREROUTING -i ppp1 -m state --state NEW -j MARK --set-mark 0x2 > -A PREROUTING -j CONNMARK --save-mark > -A POSTROUTING -j CONNMARK --restore-mark > COMMIT > # Completed on Fri Nov 25 12:21:59 2005 > # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005 > *nat > :PREROUTING ACCEPT [169:12721] > :POSTROUTING ACCEPT [339:27714] > :OUTPUT ACCEPT [279:22659] > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4662 -j DNAT --to-destination > 192.168.1.100:4662 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination > 192.168.1.100:4662 > -A PREROUTING -i ppp1 -p udp -m udp --dport 4672 -j DNAT --to-destination > 192.168.1.100:4672 > -A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to-destination > 192.168.1.100:4672 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 5500 -j DNAT --to-destination > 192.168.1.100:5500 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5500 -j DNAT --to-destination > 192.168.1.100:5500 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 666 -j DNAT --to-destination > 192.168.1.5:22 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 666 -j DNAT --to-destination > 192.168.1.5:22 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 667 -j DNAT --to-destination > 192.168.1.4:22 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 667 -j DNAT --to-destination > 192.168.1.4:22 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination > 192.168.1.4:80 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination > 192.168.1.4:80 > -A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination > 192.168.1.4:25 > -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination > 192.168.1.4:25 > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE > -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE > COMMIT > # Completed on Fri Nov 25 12:21:59 2005 > > > > And for my route table : > > ~> ip rule > 0: from all lookup local > 32764: from all fwmark 0x2 lookup nerim > 32765: from all fwmark 0x1 lookup wanadoo > 32766: from all lookup main > 32767: from all lookup default > > > ~> ip route list > 80.10.246.1 dev ppp0 scope link > 80.10.246.132 dev ppp0 scope link > 62.4.16.245 dev ppp1 proto kernel scope link src 213.41.177.180 > 64.4.17.69 dev ppp1 scope link > 64.4.16.70 dev ppp1 scope link > 193.253.160.3 dev ppp0 proto kernel scope link src 193.253.54.64 > 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1 > default dev ppp1 scope link > > ~> ip route list table nerim > 192.168.1.0 dev br0 scope link > default dev ppp1 scope link > > ~> ip route list table wanadoo > 192.168.1.0 dev br0 scope link > default dev ppp0 scope link > > > > I believe this should work but no. > tcpdump give me somthong like this : > > 12:35:04.073949 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0 > 12:35:04.074092 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0 > 12:35:07.072874 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0 > 12:35:07.072997 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0 > > Witch mean that my packets are sent to the right server, but I never get > an > answer. > All work when I delete the rule below > 32764: from all fwmark 0x2 lookup nerim > 32765: from all fwmark 0x1 lookup wanadoo > > > My questions are: > - Did I make a mistake somewhere, or did I misunderstand > something(CERTAINLY)? Where? > - What can I do to solve this problem? > > > > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
