RE: 2 LANs in SERVER + 2 xDSL (pppOe) accounts. MASQUERADE both lans!

["George Vieira" <georgev@xxxxxxxxxxxxxxxxxxxxxx>]

http://www.samag.com/documents/s=1824/sam0201h/0201h.htm

 

try this url for reference. it's a setup for redunancy routing with 2 links, some minor adjustments and you should be able to get it working for 2 lans..

 

You basically have to use iproute2 to route via the SOURCE IP and not the destination which is basic routing.

 

so you check the source ip and route via ISP1 for LAN1 and check the sourceip for LAN2 and route that via ISP2..

 

basically ;)

 

Thanks,

 

____________________________________________
George Vieira
Citadel Computer Systems Pty Ltd Systems Manager georgev AT citadelcomputer DOT com DOT au

Citadel Computer Systems Pty Ltd

Phone : +61 2 9955 2644 HelpDesk: +61 2 9955 2698 http://www.citadelcomputer.com.au

 

 

-----Original Message-----
From: Julián María Müller Frizza [mailto:julian_muller@xxxxxxxxxxxxx]
Sent: Saturday, August 23, 2003 6:38 PM
To: netfilter@xxxxxxxxxxxxxxxxxxx
Subject: 2 LANs in SERVER + 2 xDSL (pppOe) accounts. MASQUERADE both lans!

The problem is describe here people: http://www.experts-exchange.com/Networking/Linux_Networking/Q_20680648.html

But I will explain it again.

 

I have RED HAT 9 with 4 eths

And:

Two pppOE conections (2 xDSL accounts each one with his own eth) & Two LANS (2 more eths)

I want to masquerade LAN1 (eth0) to use ppp0

and masquerade LAN2 (eth2) to use ppp1

 

So is this: HOW route 1 ppp to 1 LAN and the other ppp conection to LAN 2

LAN1 is 192.168.0.0 ---> to 192.168.0.1 (eth0)

LAN2 is 192.168.1.0 ---> to 192.168.1.1 (eth2)

 

I created both ppp xDSL accounts with adsl-setup

(when creating the ifcfg-ppp0 and ifcfg-ppp1 files, the setup automatically gave both accounts the same PID FILE, so ONLY one can be enabled at a given time.

I change ifcfg-ppp1 PID FILE name and now I can enabled BOTH AT THE SAME TIME. BUT IS THIS CORRECT?

 

when I do route -n I have this:

 

 

                                GATEWAY

192.168.96.240      0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
192.168.96.240      0.0.0.0         255.255.255.255 UH    0      0        0 ppp1
10.0.0.0                  0.0.0.0         255.255.255.0        U     0      0        0 eth3
10.0.0.0                  0.0.0.0         255.255.255.0        U     0      0        0 eth3
192.168.1.0            0.0.0.0         255.255.255.0        U     0      0        0 eth2
192.168.0.0         0.0.0.0            255.255.255.0        U     0      0        0 eth0
169.254.0.0         0.0.0.0            255.255.0.0             U     0      0        0 eth3
127.0.0.0              0.0.0.0            255.0.0.0                 U     0      0        0 lo
0.0.0.0         192.168.96.240  0.0.0.0                    UG    0      0        0 ppp0

Only one ppp0 is the default gateway.

 

But well.

Tell me if configuring manually (changing pid file name in ppp1 script) is correct

 

Then: I used graffix quicktables script to crate the rc.firewall (iptables script)

 

The script was this:

 

 

------------------------------------------------------------------

# path to iptables
iptables="/sbin/iptables"

if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

# DEFAULT
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

# NAT
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth0 -j ACCEPT
$iptables -A INPUT -i eth0 -j ACCEPT
$iptables -A OUTPUT -o eth0 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE

# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# allow established and related packets back in
$iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# icmp
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i ppp0 -j ACCEPT

# open ports to the firewall
$iptables -A INPUT -p tcp --dport 21 -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -p tcp --dport 25 -j ACCEPT
$iptables -A INPUT -p tcp --dport 23 -j ACCEPT
$iptables -A INPUT -p tcp --dport 100 -j ACCEPT
$iptables -A INPUT -p tcp --dport 110 -j ACCEPT
$iptables -A INPUT -p tcp --dport 81 -j ACCEPT
$iptables -A INPUT -p tcp --dport 27015 -j ACCEPT
$iptables -A INPUT -p tcp --dport 27016 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 514 -j ACCEPT

 
# drop all other packets
$iptables -A INPUT -i ppp0 -p tcp --dport 0:65535 -j DROP

$iptables -A INPUT -i ppp0 -p udp --dport 0:65535 -j DROP

----------------------------------------------------------------------------------

 

Then to make what I want (masquerade both lans and that lan1 use ppp0, and lan2 use ppp1) patch and recompile kernel with ROUTE patch of Cédric de Launois

http://www.netfilter.org/documentation/pomlist/pom-extra.html#ROUTE

 

 

Well. after compiling kernel and test that ROUTE patch was OK. I modify rc.firewall script BUT didn't function. (may be i did a wrong script rc.firewall manually)

The second LAN (eth2) ---> ppp1 dont reach internet.

 

So. WHat should I do?

 

:)