Hi everybody,
I have a machine with two internet connections (ADSL and leased line)
which is supposed to do routing and for our local company network.
One of the things it should to is map some external ports to internal
machines in the DMZ (e.g. port 80 on external interface 1 should go to
192.168.192.168, port 25 on external interface 2 to 192.168.192.1).
The nat works well for the interface which has the default route. The
nat rules look like this:
=== Table nat, Chain PREROUTING (policy ACCEPT 125 packets, 11210 bytes)
pkts bytes target prot opt in out source
destination
1 60 DNAT tcp -- any any anywhere
extip1 tcp dpt:2201 to:192.168.192.168
7 420 DNAT tcp -- any any anywhere
extip2 tcp dpt:2201 to:192.168.192.168
=== Table nat, Chain POSTROUTING (policy ACCEPT 36 packets, 2955 bytes)
pkts bytes target prot opt in out source
destination
1 60 SNAT all -- any eth0 !extip2 anywhere
to:extip2
17 1036 SNAT all -- any ppp0 !extip1 anywhere
to:extip1
=== Table filter, Chain FORWARD (policy DROP 738 packets, 57598 bytes)
12 648 LOG tcp -- any any anywhere
anywhere tcp spt:2201 LOG level warning prefix `SBOX___'
24 1299 LOG tcp -- any any anywhere
anywhere tcp dpt:2201 LOG level warning prefix `BOX___'
=== Chain INPUT (policy DROP 42252 packets, 4143K bytes)
0 0 LOG tcp -- any any anywhere
anywhere tcp dpt:2201 LOG level warning prefix `WBOX__'
[more rules follow]
When I connect using extip1, I ahve the follwoing log entries:
Jul 29 19:48:51 lg2 kernel: BOX___IN=eth0 OUT=eth2 SRC=<testing host>
DST=<intdestip> LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=43282 DF PROTO=TCP
SPT=26557 DPT=2201 WINDOW=65535 RES=0x00 SYN URGP=0
Jul 29 19:48:51 lg2 kernel: SBOX___IN=eth2 OUT=eth0 SRC=<intdestip>
DST=<testing host> LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP
SPT=2201 DPT=26557 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Connecting on extip2 does not result in any messages; I don't see any
packet when I tcpdump the DMZ interface then, either.
My routing looks as follows (there should be no marked packets as I
flushed the 'mangle' table before testing):
ofc:/home/bc# ip ru ls
0: from all lookup local
32756: from all fwmark 0x1 lookup IQ
32757: from <extip1> lookup DSL
32758: from all fwmark 0x2 lookup DSL
32759: from <extip2> lookup IQ
32766: from all lookup main
32767: from all lookup default
ofc:/home/bc# ip ro ls
<pppremote> dev ppp0 proto kernel scope link src <extip1>
<extip2> dev eth0 scope link
192.168.0.0/24 dev eth3 proto kernel scope link src 192.168.0.253
172.27.2.0/24 dev dummy0 proto kernel scope link src 172.27.2.254
<DMZnet>/16 dev eth2 proto kernel scope link src <dmzlocalip>
default dev ppp0 scope link
Another question: is there some possibility to route local packets
depending on ports? As far as I've understood the only way is to mark
them using the mark target, however that only works after the routing
for local packets, doesn't it?
Thanx for your help, if I can provide any other useful information,
just let me know.
Baltasar
--
Baltasar Cevc
_____ former 03 gmbh
_____ infanteriestraße 19 haus 6 eg
_____ D-80797 muenchen
_____ http://www.former03.de
