Balancing two connections

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Good day
I have two connections to one ISP with IP addresses in different subnetworks
 (eth0 123.123.123.206/255.255.255.240 (gw 123.123.123.200)
   and   eth3 123.123.123.234/255.255.255.224 (gw 123.123.123.225)).
123.123.123.* - of course not real IPs (I masked them).
And there is one connection to LAN (eth2 10.20.30.4/255.255.255.248)
I want to set up a gateway in which two internet connections would be like one but wider.
I want to use NTH or RANDOM method of netfilter to split traffic from users
 (they use IPs 192.168.32.0/24, 192.168.64.0/24, 192.168.128.0/24, 192.168.250.0/24 through PPTP server 10.20.30.3)
 between two internet links.
I have a problem:
 I tried to ping 111.111.111.2 (not real IP) from 10.20.30.3 - traffic goes with no problems via eth0 but it doesn't via eth3.
 I sniffed with tcpdump and saw that packets are going out and in via eth3 but gate doesn't put it on eth2 to send it to 10.20.30.3.
I put some markers to iptables config (-j LOG) and here is what I got



ping came through
[root@host user]# tailf /var/log/syslog |grep 111.111.111.2|grep iptables_
Feb 26 20:36:14 kit kernel: iptables_mangle_prerouting: IN=eth2 OUT= MAC=00:00:e8:11:18:f2:00:30:48:55:f0:15:08:00 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_nat_prerouting: IN=eth2 OUT= MAC=00:00:e8:11:18:f2:00:30:48:55:f0:15:08:00 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_forward: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_new: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_marked_0: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_after_new: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_after_ROUTE_0: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_after_ROUTE_1: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_filter_forward: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_postrouting: IN= OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_nat_postrouting: IN= OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_prerouting: IN=eth0 OUT= MAC=00:e0:91:03:18:59:00:13:20:42:7c:f5:08:00 SRC=111.111.111.2 DST=123.123.123.206 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=17571 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_forward: IN=eth0 OUT=eth2 SRC=111.111.111.2 DST=10.20.30.3 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=17571 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_after_new: IN=eth0 OUT=eth2 SRC=111.111.111.2 DST=10.20.30.3 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=17571 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=30209


ping didn't come through
[root@host user]# tailf /var/log/syslog |grep 111.111.111.2|grep iptables_
Feb 26 20:38:26 kit kernel: iptables_mangle_prerouting: IN=eth2 OUT= MAC=00:00:e8:11:18:f2:00:30:48:55:f0:15:08:00 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_nat_prerouting: IN=eth2 OUT= MAC=00:00:e8:11:18:f2:00:30:48:55:f0:15:08:00 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_mangle_forward: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_mangle_new: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_marked_0: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_marked_1: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_after_new: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_after_ROUTE_0: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_after_ROUTE_1: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_filter_forward: IN=eth2 OUT=eth0 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_mangle_postrouting: IN= OUT=eth3 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_nat_postrouting: IN= OUT=eth3 SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_mangle_prerouting: IN=eth3 OUT= MAC=00:c0:26:aa:13:03:00:07:e9:2a:97:73:08:00 SRC=111.111.111.2 DST=123.123.123.234 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=51251 PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=30465



As you can see ICMP packets goes via eth0 with no problems. But when it goes via eth3, it goes out and comes back but it's lost somewhere after iptables_mangle_prerouting.
What can it be ??? May be some things should be added to routing?


[root@host user]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.20.30.0      *               255.255.255.248 U     10     0        0 eth2
123.123.123.192 *               255.255.255.240 U     10     0        0 eth0
123.123.123.224 *               255.255.255.224 U     35     0        0 eth3
default         123.123.123.200 0.0.0.0         UG    10     0        0 eth0


Forwarding is enabled as you can see
[root@host user]# cat /proc/sys/net/ipv4/ip_forward
1


Here is what iptables-save tells
# Generated by iptables-save v1.3.7 on Sun Feb 18 04:53:06 2007
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p icmp -j LOG  --log-prefix "iptables_nat_postrouting: "
-A POSTROUTING -s 123.123.123.192/255.255.255.240 -j ACCEPT
-A POSTROUTING -o eth0 -j SNAT --to-source 123.123.123.206
-A POSTROUTING -o eth3 -j SNAT --to-source 123.123.123.234
-A PREROUTING -p icmp -j LOG  --log-prefix "iptables_nat_prerouting: "
-A OUTPUT -p icmp -j LOG  --log-prefix "iptables_nat_ouput: "
-A POSTROUTING -p icmp -j LOG  --log-prefix "iptables_after_nat: "
COMMIT
# Completed on Sun Feb 18 04:53:06 2007
# Generated by iptables-save v1.3.7 on Sun Feb 18 04:53:06 2007
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:NEW_OUT_CONN - [0:0]
-A PREROUTING -p icmp -j LOG  --log-prefix "iptables_mangle_prerouting: "
-A INPUT -p icmp -j LOG  --log-prefix "iptables_mangle_input: "
-A FORWARD -p icmp -j LOG  --log-prefix "iptables_mangle_forward: "
-A OUTPUT -p icmp -j LOG  --log-prefix "iptables_mangle_ouput: "
-A POSTROUTING -p icmp -j LOG  --log-prefix "iptables_mangle_postrouting: "
-A FORWARD -d 123.123.123.192/255.255.255.240 -j ACCEPT
-A FORWARD -d 123.123.123.224/255.255.255.224 -j ACCEPT
-A FORWARD -m state --state NEW -j NEW_OUT_CONN
-A NEW_OUT_CONN -p icmp -j LOG  --log-prefix "iptables_mangle_new: "
-A NEW_OUT_CONN -j CONNMARK  --set-mark 0
-A NEW_OUT_CONN -p icmp -j LOG  --log-prefix "iptables_marked_0: "
-A NEW_OUT_CONN -m statistic -j RETURN  --mode nth --every 2 --packet 0
-A NEW_OUT_CONN -j CONNMARK  --set-mark 1
-A NEW_OUT_CONN -p icmp -j LOG  --log-prefix "iptables_marked_1: "
-A NEW_OUT_CONN -m statistic -j RETURN  --mode nth --every 2 --packet 1
-A FORWARD -p icmp -j LOG --log-prefix "iptables_after_new: "
-A FORWARD -m connmark -i eth2 -j ROUTE  --mark 0 --gw 123.123.123.200 --continue
-A FORWARD -p icmp -j LOG  --log-prefix "iptables_after_ROUTE_0: "
-A FORWARD -m connmark -i eth2 -j ROUTE  --mark 1 --gw 123.123.123.225 --continue
-A FORWARD -p icmp -j LOG  --log-prefix "iptables_after_ROUTE_1: "
COMMIT
# Completed on Sun Feb 18 04:53:06 2007
# Generated by iptables-save v1.3.7 on Sun Feb 18 04:53:06 2007
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j LOG  --log-prefix "iptables_filter_input: "
-A INPUT -i lo -j ACCEPT
-A FORWARD -p icmp -j LOG  --log-prefix "iptables_filter_forward: "
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -s 10.20.30.0/255.255.255.248 -i eth2 -j ACCEPT
-A FORWARD -d 10.20.30.0/255.255.255.248 -o eth2 -j ACCEPT
-A FORWARD -s 192.168.32.0/255.255.255.0 -i eth2 -j ACCEPT
-A FORWARD -s 192.168.64.0/255.255.255.0 -i eth2 -j ACCEPT
-A FORWARD -s 192.168.128.0/255.255.255.0 -i eth2 -j ACCEPT
-A FORWARD -s 192.168.250.0/255.255.255.0 -i eth2 -j ACCEPT
-A FORWARD -s 123.123.123.192/255.255.255.240 -i eth2 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 10.20.30.0/255.255.255.248 -i eth2 -j ACCEPT
# Don't pay attention to next one - it's for future use
-A INPUT -p tcp -m tcp -m multiport -d 123.123.123.201 -j ACCEPT --dports 21,25,53,80
-A OUTPUT -p icmp -j LOG  --log-prefix "iptables_filter_ouput: "
# It's for disabling traceroute through the gate (I think it should work and shouldn't stop icmp ping requests/replies)
-A OUTPUT -p icmp -m icmp -s 10.20.30.0/255.255.255.248 --icmp-type ttl-zero-during-transit -j DROP
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT
# Completed on Sun Feb 18 04:53:06 2007



By the way I have Mandriva 2007 installed, kernel 2.6.20 and iptables 1.3.7 pached with patch-o-matic-ng-20070217 (ROUTE enabled)

___________________________________________________
Узнай о ВИЧ/СПИД больше!  
www.helpme.com.ua ICQ 271 324 528
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux