On 1/30/07, Peter Huetmannsberger <huetmann@xxxxxxxxxxxxxx> wrote:
Hello, I came across a problem today, which after trying a number of approaches I could not solve, and I am hoping someone out there knows how to deal with this. Situation: 2 different internet connections on eth2 and eth3 Traffic coming in on eth2 goes out on eth2 and traffic coming in on eth3 goes out on eth3 (because of rt_tables, and routes, which works fine) unless I do a DNAT to a different machine. i.e. default route is eth3 traffic comes in eth2 --> DNAT --> eth1 machine behind eth1 answers correctly, but the resulting packets choose the default route (eth3) to go out and not the way they came in. or in ipaddress description: default route is 81.223.13.xx1 eth3 = 81.223.13.xx2 eth2 = 91.112.38.xx8 Packets coming in via 91.112.38.xx8 for port 80 get DNATed to 192.168.10.199:80 on returining from 192.168.10.199 they choose the default route 81.223.13.xx2 on their way out. Without the DNAT the setup works fine, with the DNAT they don't. I am grateful for any suggestions.
I am very new to this, but last week i have to deal with the same and i came to a "solution" (but i don't know if there are better ways to do this) Bah, actually two solutions: one is http://linux-ip.net/html/linux-ip.html#adv-multi-internet, which basically proposes adding an other address to the server you want to dnat to, so for one public ip dnat to one internal ip of the server, and for the other public ip dnat to the other internal ip of the server. So, using ip rule (and using "from")you can route answers to the correct route The other (i found) is using conntrack, the rule which makes the trick is: iptables -t mangle -A PREROUTING -m conntrack --ctstate DNAT --ctorigdst $ISP2_NET -j MARK --set-mark 10 and then: ip rule add prio <prio> fwmark 10 table isp2.table (put it with lower prio than the main table, or less prio than the table where packets are routed by default) So, adding this for the isp that DNAT is not working should be enough (where $ISP_NET is the public ip you are dnatting or the net you are doing DNAT (both are ok) ), but adding this to both ISPs should work too And almos for "free" with this cames: iptables -t mangle -A PREROUTING -m conntrack --ctstate SNAT --ctrepldst $ISP2_NET -j MARK --set-mark 10 which makes SNAT to behave as expected with 2 (or more) ISPs
Thanks
You are welcome, i hope it helps :-). And please tell me if you do this different
.peter
Rodrigo _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
