That's because the route to a host X has been changed. There's a routing decision to host X every so or so minutes. Ways to handle that? Boy, that can be tough. I've read of prople who use a different LAN IP for every public connection. So If you have 3 public connections, you should use three different IPs on the lan. Then, when you DNAT packets on the way in (from the internet), you mark those packets with a different fwmark for each internet connection. On POSTROUTING do a SNAT according to this fwmark to a different IP each (remember you have three inner IPs to choose from). Then when packets come back from your servers, they will be sent to three different IPs and you can tell packets that should go out one way or the other. Now, if you don't care about incoming (to your lan) connections but outgoing.... I guess you are very much out of luck.... unless you use some policy routing for stateful connections (I think that's the name of connections that DO care if you change the IP the connection is going through) so that they use a single interface all the time. On 2/23/06, Raj Mathur <raju@xxxxxxxxxxxxxxx> wrote: > Hi, > > I have a client connected to the 'net through 3 ISP's. Have set up a > Linux box to do routing and load sharing for the 3 connections. A > fourth interface is connected to the LAN with private IP addresses. > Am using iptables to SNAT traffic to the appropriate IP depending on > the interface the packet gets routed onto. The setup looks something > like this: > > Interface IP Gateway Table Network > --------- -- ------- ----- ------- > intA ipA gwA tableA netA > intB ipB gwB tableB netB > intC ipC gwC tableC netC > [intD is the LAN interface] > intD ipD (private) no gateway global netD > > This works fine most of the time, except that once in a while (every > 5-10 minutes or so) packets going out on (e.g.) intB suddenly start > getting NAT'ed to source address ipA (i.e. the address of another > interface). Obviously this plays hell with the existing connections > on that link! > > The ip commands I'm using are: > > /sbin/ip route add netA dev intA src ipA table tableA > /sbin/ip route add netA dev intA src ipA > /sbin/ip route add default via gwA table tableA > /sbin/ip route add netB dev intB src ipB table tableB > /sbin/ip route add netB dev intB src ipB > /sbin/ip route add default via gwB table tableB > /sbin/ip route add netC dev intC src ipC table tableC > /sbin/ip route add netC dev intC src ipC > /sbin/ip route add default via gwC table tableC > /sbin/ip route add default scope global nexthop via gwB dev intB weight 1 nexthop via gwC dev intC weight 2 nexthop via gwA dev intA weight 2 > /sbin/ip rule add from ipA table tableA > /sbin/ip rule add from ipB table tableB > /sbin/ip rule add from ipC table tableC > > The iptables commands are: > > /sbin/iptables -P FORWARD DROP > # Enable full flow on the LAN > /sbin/iptables -I FORWARD -s netD -i intD -j ACCEPT > /sbin/iptables -I FORWARD -d netD -o intD -j ACCEPT > # Allow all packets to go out > /sbin/iptables -I OUTPUT -o intA -j ACCEPT > /sbin/iptables -I OUTPUT -o intB -j ACCEPT > /sbin/iptables -I OUTPUT -o intC -j ACCEPT > /sbin/iptables -I OUTPUT -o intD -j ACCEPT > /sbin/iptables -I INPUT -i intD -j ACCEPT > /sbin/iptables -I INPUT -i lo -j ACCEPT > /sbin/iptables -P INPUT DROP > /sbin/iptables -A INPUT -i ! intD -m state --state RELATED,ESTABLISHED -j ACCEPT > # Hmmm, why is this one there? > /sbin/iptables -A INPUT -i intD -m state --state RELATED,ESTABLISHED -j ACCEPT > # NAT depending on outbound interface > /sbin/iptables -t nat -A POSTROUTING -s netD -o intA -j SNAT --to-source ipA > /sbin/iptables -t nat -A POSTROUTING -s netD -o intB -j SNAT --to-source ipB > /sbin/iptables -t nat -A POSTROUTING -s netD -o intC -j SNAT --to-source ipC > > Any idea why connections that are flowing perfectly would suddenly > decide to start getting NAT'ed to the wrong source? Or some place on > the 'net I can start looking? > > Regards, > > -- Raju > -- > Raj Mathur raju@xxxxxxxxxxxxx http://kandalaya.org/ > GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F > It is the mind that moves > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
