Radu Oprisan wrote:
Radu Oprisan wrote:
Dashamir Hoxha wrote:
Dashamir Hoxha wrote:
Hi,
I am trying to categorize the network traffic and to send it out
across two different providers.
For this I mark the packets in the firewall (in the PREROUTING
chain of table mangle),
and then use another routing table for the marked packets, which
has a different gateway
from the main routing table. Basicaly I am following the cookbook
example in this page:
http://linux-ip.net/html/adv-multi-internet.html
with some small changes and modifications.
The most important difference is that I am trying to use just one
external network interface,
which is connected through a hub/switch to both of the ISP links.
I add two different IPs
to this interface, corresponding to each providers network. Then
the masquerading is done
with a rule like this:
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of:
# iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source
67.17.28.12
# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source
205.254.211.179
For the traffic that is generated in the LAN behind the box, it
works, but for the
traffic that is generated in the localhost (routing box), it does
not work.
Indeed, it cannot possibly work for the localhost with a setup like
this (with only
one external interface). As it can be seen in this document:
http://www.faqs.org/docs/iptables/traversingoftables.html
(Table 3-2. Source local host)
routing decision happens before the packet enters the chains of the
iptables
(the chain PREROUTING is not tranversed in this case).
This is not a big problem (it is not so important that the traffic
of the routing box
be categorized as well), but trying to solve it, I came up with
another solution,
which seems simpler.The idea is to use something like this:
---------------------------------------------------------------------------------
IPT=/sbin/iptables
PORT_LIST="22 53"
GATEWAY1=192.168.10.1
GATEWAY2=192.168.100.1
for PORT in $PORT_LIST
do
$IPT -t nat -A POSTROUTING -o eth0 \
-p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
done
$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
-----------------------------------------------------------------------------
I have not tested it yet but I don't see why it should not work.
for PORT in $PORT_LIST
do
$IPT -t mangle -A PREROUTING -i eth_clients \
-p tcp --dport $PORT -j MARK --set-mark 0x01
done
$IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT
--to-source $GATEWAY2
$IPT -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
I'm sorry....
Ok, it may work like this, I have to try it.
By the way, instead of $GATEWAY1 and $GATEWAY2 above, $IP1 and $IP2
must be used instead; it was a mistake.
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
