Nice. Very slick. I was contemplating a horrible kludge using NAT on both the
exterior and interior interfaces. This is far superior.
Many thanks!
On Friday 10 June 2005 10:55, Jason Opperisano wrote:
> On Thu, Jun 09, 2005 at 10:00:21AM -0700, Jeff Simmons wrote:
> > The actual challenge is to have two external interfaces, IF_1 and IF_2,
> > each with their own address and both DNATed to an internal server.
> > Packets coming into IF_1 should have their replies routed out IF_1 while
> > packets coming in on IF_2 should have their replies routed out IF_2.
> >
> > The ONLY place this information (which interface a particular packet
> > stream came in on) is available is in the NAT state table. Pre NAT, all
> > routing has to go on is the source server destination remote. Post NAT
> > routing now sees source IF_ (1 or 2) destination remote, and the packet
> > can now be properly routed out the correct interface.
> >
> > Which is why it's important whether NAT takes place pre or post routing
> > on the reply packets from a DNATed destination.
>
> the way i attack this problem (ensuring a DNAT-ed connection gets routed
> back out the same link it came in on) is with CONNMARK:
>
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -i $EXT_IF_A -d $PUB_IP_A \
> -m mark --mark 0 -j MARK --set-mark 1
> iptables -t mangle -A PREROUTING -i $EXT_IF_B -d $PUB_IP_B \
> -m mark --mark 0 -j MARK --set-mark 2
> iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
>
> iptables -t nat -A PREROUTING -i $EXT_IF_A -d $PUB_IP_A \
> -j DNAT --to-destination $PRIV_SRV
> iptables -t nat -A PREROUTING -i $EXT_IF_B -d $PUB_IP_B \
> -j DNAT --to-destination $PRIV_SRV
>
> ip route add default via $ISP_A_GW dev $EXT_IF_A table ISPA
> ip route add default via $ISP_B_GW dev $EXT_IF_B table ISPB
>
> ip rule add fwmark 1 table ISPA
> ip rule add fwmark 2 table ISPB
>
> this isn't 100% step-by-step, but should give you the foundation.
> i have posted truly step-by-step examples of this in the past--search
> the archives.
>
> hope this gets you on the right track.
>
> -j
>
> --
> "Lois: I'm sorry that Stewie ruined your books. Here, I brought
> you some of Peter's.
> Brian: "Mr. T" by Mr. T. "T and Me" by George Poppard. "For The Last
> Time, I'm Not Mr. T" by Ving Rhames."
> --Family Guy
--
Jeff Simmons jsimmons@xxxxxxxxxxxxxxx
Simmons Consulting - Network Engineering, Administration, Security
"You guys, I don't hear any noise. Are you sure you're doing it right?"
-- My Life With The Thrill Kill Kult
