Hello,
I'm trying to install two DSL lines on a server.
Public IP1 --- router 192.168.254.254 -------- eth0 192.168.254.1 --+
|
Public IP2 --- router 192.168.1.254 ---------- eth2 192.168.1.1 ----+
|
LAN ------------------------------------------ eth1 192.168.0.128 --+
My server is an UltraSPARC 1E running Linux 2.4.29 (official),
iptables 1.2.11-8 (debian) and iproute 20041019-3 (debian).
I have installed an intranet server at 192.168.0.130. All services
are accessible from the server and the lan by 192.168.254.254
gateway and masquerading. The 8000 port coming from IP1 is forwarded
to my intranet server, port 8080. It perfectly works.
IP2 is only used by my intranet server (ports 3000 and 3001). All
connections are initialized by remote workstations to ports 3000 and
3001, and my intranet server send answers from ports 3000 and 3001.
I have configured iptables to forward IP2:3000 and 3001 (TCP) to my
intranet server and this port forwarding works. But all paquets that
come from my intranet server are routed by eth0 and not by eth2. I
don't understand why.
My configuration :
Root kant:[/var/lib/iptables] > cat active
# Generated by iptables-save v1.2.11 on Thu Feb 17 15:16:28 2005
*mangle
:PREROUTING ACCEPT [12832:4073186]
:INPUT ACCEPT [8257:778616]
:FORWARD ACCEPT [4461:3254850]
:OUTPUT ACCEPT [9438:7387544]
:POSTROUTING ACCEPT [13947:10651566]
[1381:1616644] -A PREROUTING -s 192.168.0.130 -i eth1 -p tcp -m tcp
--sport 3000:3001 -j MARK --set-mark 0x1
COMMIT
# Completed on Thu Feb 17 15:16:28 2005
# Generated by iptables-save v1.2.11 on Thu Feb 17 15:16:28 2005
*filter
:INPUT DROP [193:29674]
:FORWARD ACCEPT [4461:3254850]
:OUTPUT ACCEPT [9445:7388132]
[543:71415] -A INPUT -i lo -j ACCEPT
[3637:305313] -A INPUT -d 192.168.254.1 -j ACCEPT
[1595:197784] -A INPUT -d 192.168.0.128 -j ACCEPT
[2295:174958] -A INPUT -d 192.168.1.1 -p tcp -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Thu Feb 17 15:16:28 2005
# Generated by iptables-save v1.2.11 on Thu Feb 17 15:16:28 2005
*nat
:PREROUTING ACCEPT [423:73881]
:POSTROUTING ACCEPT [149:13992]
:OUTPUT ACCEPT [122:12372]
[0:0] -A PREROUTING -d 192.168.254.1 -p tcp -m tcp --dport 8000 -j DNAT
--to-destination 192.168.0.130:8080
[19:1140] -A PREROUTING -d 192.168.1.1 -p tcp -m tcp --dport 3000 -j
DNAT --to-destination 192.168.0.130:3000
[0:0] -A PREROUTING -d 192.168.1.1 -p tcp -m tcp --dport 3001 -j DNAT
--to-destination 192.168.0.130:3001
[4:539] -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o eth0 -j
MASQUERADE
COMMIT
# Completed on Thu Feb 17 15:16:28 2005
Root kant:[/var/lib/iptables] > cat /etc/init.d/iproute2
#!/bin/bash
THIBON=192.168.1.1
ACHARD=192.168.1.254
if [ -n "$(ip rule list | grep intranet)" ]; then
echo "La table de routage intranet préexiste."
else
ip rule add from $THIBON lookup intranet
fi
if [ -n "$(ip rule list | grep fwmark | grep 0x1)" ]; then
echo "La règle concernant les paquets marqués préexiste."
else
ip rule add fwmark 0x01 table intranet
fi
if [ -n "$(ip route list table intranet | grep default)" ]; then
echo "La passerelle intranet est définie."
else
ip route add default via $ACHARD dev eth2 table intranet
fi
ip route flush cache
echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter
exit 0
Root kant:[/var/lib/iptables] > iptables -t mangle -L -nv
Chain PREROUTING (policy ACCEPT 19877 packets, 12M bytes)
pkts bytes target prot opt in out source
destination
14 840 MARK tcp -- eth1 * 192.168.0.130
0.0.0.0/0 tcp spts:3000:3001 MARK set 0x1
....
Root kant:[/var/lib/iptables] > ip rule list
0: from all lookup local
32764: from all fwmark 0x1 lookup intranet
32765: from 192.168.1.1 lookup intranet
32766: from all lookup main
32767: from all lookup default
Root kant:[/var/lib/iptables] > ip route list table intranet
default via 192.168.1.254 dev eth2
Root kant:[/var/lib/iptables] >
I think that intranet table is ignored... Why ? I can access to my
server by ssh (on IP1 and IP2).
Regards,
JKB
