Re: Routing to DMZ with multiple ISP's

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Robert Ferney a écrit :


I have 10 DSL routers with associated internet connections.
They are all configured to DNAT all traffic on their external
interface to one internal Router.

I'm trying to DNAT all web traffic to a webserver at 192.168.7.4
It is working for the first connection, but it fails on the remainder
What am I missing?
My guess is what you are missing is that the "un-DNAT" of the source address in the reply packets from the server takes place in POSTROUTING, too late for it to be taken into account by your routing rules, which affects only packets generated by the internal router.
So your internal router needs to know to which gateway the reply packets must be send (depending on which gateway the original packet came from) before the routing stage. This must be done in PREROUTING. 

Here are two possible methods :

==============================================================
1) Match the original destination address of the incoming DNATed connection in the reply packets. This is done with the "--ctorigdst" option of the "conntrack" iptables match : 

iptables -t mangle -A PREROUTING -i eth0 \
  -m conntrack --ctstate DNAT --ctorigdst 192.168.4.2 \
  -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i eth0 \
  -m conntrack --ctstate DNAT --ctorigdst 192.168.4.6 \
  -j MARK --set-mark 0x2
[...]

Then you direct the marked packets to the alternate routing table :

ip rule add fwmark 0x1 lookup dsl1
ip rule add fwmark 0x2 lookup dsl2
[...]

==============================================================
2) Mark the connections with the CONNMARK iptables target.
This requires a kernel with connection mark support, i.e. at least version 2.6.10 or patched with patch-o-matic-ng. 

iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW \
  -d 192.168.4.2 -p tcp --dport 80 -j CONNMARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW \
  -d 192.168.4.6 -p tcp --dport 80 -j CONNMARK --set-mark 0x2
[...]
This sets a "connection mark" on new _connections_ (not on individual packets) incoming on eth2 depending on the original destination address. Then copy the connection mark into the mark of reply packets incoming on eth0 : 

iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0x1 \
  -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0x2 \
  -j CONNMARK --restore-mark
[...]

The "ip rule" are the same as in 1).
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux