On Sat, 8 Apr 2006 11:07:00 -0500 "Martin A. Brown" <martin-lartc@xxxxxxxxxxxxxx> wrote: > : Now I put a server behind the Linux box. I want the server to be > : reachable on an /extra/ IP in the routed subnet of ISP2. > > Does server have one or two IP addresses? Best solution? Use two > IP addresses on server. Hmmm, one for ISP1 and one for ISP2? That would be a nice idea to workaround this problem :-) > : When pinging 1.2.3.3, the packets get in through eth1 (ok), but the > : replies are following the default route through eth0 (wrong) > > The problem is routing. Return packets from your server are handled > in the main routing table. There isn't yet an RPDB entry directing > traffic from 10.0.0.2 to use table_eth1. Your RPDB entry looks like > this: > > : ip rule add from 1.2.3.3 lookup table_eth1 > > Try changing this (or adding another rule): > > ip rule add from 10.0.0.2 lookup table_eth1 Nope. I already tried that, but no way. > instead. Now, your server should have Internet access strictly on > the link handled by ISP2. No. The packets are returned through ISP1. > If you would like to handle inbound traffic on both links, then add > a secondary IP address to your server, and enter another DNAT rule > which specifies another NAT mapping for the secondary IP. That's a very nice idea, but packets keep on entering the wrong table (default), I think it's a bug somewhere in the kernel. It only works when the ip is direct on the external interface of the Linuxbox, but as soon as 1 tcp port is translated, the return packets for that translated port get into the wrong (default) table. Even when using fw marks it doesn't work. I mark all packets coming from the servers second ip address with '1' and a simple ip ru a fwmark 1 table t_eth1 should do the job. But no way. Packets keep on getting out through ISP1 (t_eth0). This is the real test: 10.0.2.1 is the server, 10.0.2.3 is its second ip. 10.0.2.1 = external 10.1.3.100 10.0.2.3 = external 192.168.201.3 # ip r s 192.168.201.3 via 10.0.2.3 dev eth2 10.1.3.100 via 10.0.2.1 dev eth2 10.0.2.0/24 dev eth2 proto kernel scope link src 10.0.2.2 192.168.201.0/24 dev eth1 proto kernel scope link src 192.168.201.2 10.1.3.0/24 dev eth0 proto kernel scope link src 10.1.3.101 default via 10.1.3.1 dev eth0 # ip ru s 0: from all lookup local 32762: from all fwmark 0x1 lookup t_eth1 32764: from 192.168.201.2 lookup t_eth1 32765: from 10.1.3.101 lookup t_eth0 32766: from all lookup main 32767: from all lookup default # ip r s t t_eth0 10.0.2.0/24 dev eth2 scope link 10.1.3.0/24 dev eth0 scope link src 10.1.3.101 127.0.0.0/8 dev lo scope link default via 10.1.3.1 dev eth0 # ip r s t t_eth1 10.0.2.0/24 dev eth2 scope link 192.168.201.0/24 dev eth1 scope link src 192.168.201.2 127.0.0.0/8 dev lo scope link default via 192.168.201.1 dev eth1 Any hints are welcome... btw: iproute2-ss06011, kernel 2.6.16.2, iptables 1.3.5 R. -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ -- ___________________________________________________________________ It is better to remain silent and be thought a fool, than to speak aloud and remove all doubt. +------------------------------------------------------------------+ | Richard Lucassen, Utrecht | | Public key and email address: | | http://www.lucassen.org/mail-pubkey.html | +------------------------------------------------------------------+ _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
