Hi,
I am trying to categorize the network traffic and to send it out across
two different providers.
For this I mark the packets in the firewall (in the PREROUTING chain of
table mangle),
and then use another routing table for the marked packets, which has a
different gateway
from the main routing table. Basicaly I am following the cookbook
example in this page:
http://linux-ip.net/html/adv-multi-internet.html
with some small changes and modifications.
The most important difference is that I am trying to use just one
external network interface,
which is connected through a hub/switch to both of the ISP links. I
add two different IPs
to this interface, corresponding to each providers network. Then the
masquerading is done
with a rule like this:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
instead of:
# iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12
# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 205.254.211.179
For the traffic that is generated in the LAN behind the box, it works,
but for the
traffic that is generated in the localhost (routing box), it does not work.
Indeed, it cannot possibly work for the localhost with a setup like this
(with only
one external interface). As it can be seen in this document:
http://www.faqs.org/docs/iptables/traversingoftables.html
(Table 3-2. Source local host)
routing decision happens before the packet enters the chains of the iptables
(the chain PREROUTING is not tranversed in this case).
This is not a big problem (it is not so important that the traffic of
the routing box
be categorized as well), but trying to solve it, I came up with another
solution,
which seems simpler.The idea is to use something like this:
---------------------------------------------------------------------------------
IPT=/sbin/iptables
PORT_LIST="22 53"
GATEWAY1=192.168.10.1
GATEWAY2=192.168.100.1
for PORT in $PORT_LIST
do
$IPT -t nat -A POSTROUTING -o eth0 \
-p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
done
$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
-----------------------------------------------------------------------------
I have not tested it yet but I don't see why it should not work.
Also, I have seen somewhere that using two IPs on the same interface may
be risky
(may have security implications), but I don't see what they can be. If
somebody has
any idea of them and how to avoid them, please let me know. E.g. I have
heard about
"IP spoofing" but I don't understand what it is.
Regards,
Dashamir
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
