Em Qua, 2008-05-28 às 23:50 +0200, ArcosCom Linux User escreveu: > Perhaps you can read a bit more about multilinks here: > > http://lartc.org. > > You can take the example given previously and the info in lartc to make > your own rules. > Hi list Just to clear my mind about this stuff: > As an example, I have this output for my linux box that uses 3 lines: > === REGLAS IPTABLES PARA EL ENRUTADO === > Chain PREROUTING (policy ACCEPT 18M packets, 14G bytes) > num pkts bytes target prot opt in out source > destination > 1 16M 12G M_TRAF_IN all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 2 2520K 1867M M_IFACE all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain M_IFACE (1 references) > num pkts bytes target prot opt in out source > destination > > 1 1265K 166M CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 CONNMARK restore this rule tell us: all connections will be restore and mark 0x0, which means that if at NAT a packet goes out when it returns it will return w/ no mark and will it receive a mark 0x0 ? > 2 1403K 1710M RETURN all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xf000 this one does tell us to pass without mark any packet w/ mark ! from 0x0 ? > 3 1117K 158M M_IFACE_TRAF all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 > 4 7275 371K MARK all -- eth1 * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x4000 this one tell to mark every new conection leaving eth1 w/ mark 0x4000 > > > 5 9839 514K MARK all -- eth2 * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x2000 > 6 9164 480K MARK all -- eth3 * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x8000 > 7 26278 1365K CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xf000 CONNMARK save > 8 1117K 158M RETURN all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain M_IFACE_TRAF (2 references) > num pkts bytes target prot opt in out source > destination > Chain POSTROUTING (policy ACCEPT 20M packets, 14G bytes) > num pkts bytes target prot opt in out source > destination > 1 17M 13G M_TRAF_OUT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > 2 2744K 1934M M_IFACE_OUT all -- * * 0.0.0.0/0 > 0.0.0.0/0 > Chain M_IFACE_OUT (1 references) > num pkts bytes target prot opt in out source > destination > 1 2572K 1848M CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 CONNMARK restore this one tells to restore connections w/ mark 0x0 > > 2 1079K 135M RETURN all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xf000 > 3 1665K 1794M M_IFACE_TRAF all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 > 4 6830 410K MARK all -- * eth1 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x4000 > 5 5559 331K MARK all -- * eth2 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x2000 > 6 14689 871K MARK all -- * eth3 0.0.0.0/0 > 0.0.0.0/0 MARK match 0x0/0xf000 state NEW MARK or 0x8000 > 7 27078 1612K CONNMARK all -- * * 0.0.0.0/0 > 0.0.0.0/0 MARK match !0x0/0xf000 CONNMARK save > 8 1665K 1794M RETURN all -- * * 0.0.0.0/0 > 0.0.0.00 summarizing when you use CONNMARK in mangle PREROUTING and mark a connection , when a packet returns it returns w/ no mark, it checks CONNTRACK connections then it receive it marks again. Supose a new packet from LAN to internet: lan eth0 --FIREWALL-- eth1 internet -> eth0 packet ( w/ no mark) -> mangle prerouting ( restore mark) -> nat prerouting -> routing -> mangle forward -> forward -> mangle postrouting ( receive a mark 0x4000) -> nat postrouting -> eth1 back eth1 packet ( w/ no mark) -> mangle prerouting ( restore mark- receive mark 0x4000) -> nat prerouting -> routing -> mangle forward -> forward -> mangle postrouting ( as already has a mark pass) -> nat postrouting -> eth1 Is that correct???? thanks in advanced > === REGLAS DE ENRUTAMIENTO === > 0: from all lookup local > 50: from all lookup main > 100: from all fwmark 0x4000/0xf000 lookup uno > 101: from all fwmark 0x2000/0xf000 lookup dos > 102: from all fwmark 0x8000/0xf000 lookup tabla_eth3 > 150: from 212.170.103.236 lookup uno > 151: from 212.170.103.235 lookup dos > 152: from 212.59.210.142 lookup tabla_eth3 > 200: from all lookup defecto > 32766: from all lookup main > 32767: from all lookup default > === TABLAS DE RUTAS === > === MAIN === > 212.170.103.192/26 dev eth2 proto kernel scope link src 212.170.103.235 > 212.170.103.192/26 dev eth1 proto kernel scope link src 212.170.103.236 > 192.168.3.0/24 dev zlan0 proto kernel scope link src 192.168.3.247 > 192.168.2.0/24 dev zlan0 proto kernel scope link src 192.168.2.247 > 192.168.1.0/24 dev zlan0 proto kernel scope link src 192.168.1.247 > 212.59.210.0/24 dev eth3 proto kernel scope link src 212.59.210.142 > 10.1.1.0/24 dev zlan0 proto kernel scope link src 10.1.1.6 > 169.254.0.0/16 dev eth1 scope link > === eth1 TABLA 150 === > default via 212.170.103.193 dev eth1 proto static src 212.170.103.236 > prohibit default proto static metric 1 > === eth2 TABLA 151 === > default via 212.170.103.193 dev eth2 proto static src 212.170.103.235 > prohibit default proto static metric 1 > === eth3 TABLA 152 === > default via 212.59.210.1 dev eth3 proto static src 212.59.210.142 > prohibit default proto static metric 1 > === TABLA 200 (defecto) === > default proto static > nexthop dev eth1 weight 1 > nexthop dev eth2 weight 1 > nexthop dev eth3 weight 3 > > > You can change it a bit to alow a default route for your 67.17.117.0/24 > network and another to everything else. > > Regards > > El Mie, 28 de Mayo de 2008, 22:26, jeev escribió: > > ok. > > > > i sort of understand.. > > > > i've managed to get it working with the following: > > ip route add 69.17.117.0/24 via GATEWAY-OF-ETH2 src IP-OF-ETH2 > > > > AND adding this to iptables before the default route. > > > > -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d 67.17.117.0/24 -j > > MASQUERADE > > > > i do understand the link you gave me but do not understand where i > > input details of the networks in question. > > > > i want to route everything out the default connection which would be > > eth3, EXCEPT for what i define in ip blocks like i listed above. > > > > and as far as the commands i ran up there to get them working. i have > > 2 cable modems, node is running great right now, i should be able to > > get 10mbit from each but when i run a speedtest using one ip and then > > start the other.. it slows down.. (making me believe that it's still > > riding off one ip somehow) so when i get home, i'm going to look at > > graphs i guess. > > > > also, i have a viatalk linksys adapter at home and it's set up as > > following: > > > > ip route add table 10 dev eth2 > > ip rule add from 192.168.2.5/32 table 10 priority 1 > > and > > 0 0 MASQUERADE all -- any eth2 viatalk anywhere > > > > and as i just restarted the adapter > > > > 10 563 MASQUERADE all -- any eth2 viatalk anywhere > > > > the adapter does pick the correct external ip now but it's still > > having trouble connecting to the login server. > > > > any help would be appreciated. > > > > i really am considering dropping back to PFSENSE on bsd.. i was also > > having some minor issues there but it was about something else > > although it was rock solid for about 2 months. > > > > thanks everybody. > > > > On Wed, May 28, 2008 at 4:50 AM, Jan Engelhardt <jengelh@xxxxxxxxxx> > > wrote: > >> > >> On Wednesday 2008-05-28 07:03, Patrick McHardy wrote: > >> > >>> jeev wrote: > >>>> Hey guys, i was reading on the netfilter site. > >>>> > >>>> I saw Patrick McHardy wrote about having 2 cable modems... i'm in the > >>>> same situation... my only problem is that I dont want to do load > >>>> balancing, i've just come from using PFSENSE/freebsd to use > >>>> ClarkConnect on CentOS i guess.. i've never used iptables before. i've > >>>> tried things like: > >>>> > >>>> "iptables -A POSTROUTING -t nat -o eth2 -s 192.168.2.0/24 -d > >>>> 67.17.117.0/24 -j MASQUERADE" and it still doesn't work. > >>>> > >>>> 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1 > >>>> 24.x.x.0/23 dev eth2 proto kernel scope link src 24.x.x.23 > >>>> 71.x.x.0/23 dev eth3 proto kernel scope link src 71.x.x.6 > >>>> default via 71.x.x.1 dev eth3 > >>>> > >>>> so right now i have all traffic go out eth3, i'd love to have the ips > >>>> and ipblocks i select and have it go out one of the cable interfaces. > >>>> so for the example above, i want www.speedtest.net (because it shows > >>>> the ip) to go out eth2 but it's still going out eth3. > >>> > >>>[...] > >>> You can use any criteria you like for distribution, the important > >>> thing is to make sure connections stay on one connection when using > >>> NAT (since many providers don't allow spoofed addresses), [...] > >>> Dealing with incoming connections on both internet connections > >>> is trickier because you need to make sure they go out the same > >>> way they came in, so I'll skip this because I'm short on time > >>> right now :) > >> > >> As described in http://dev.medozas.de/NF-Cookbook.txt. > >> > >> > > -- > > To unsubscribe from this list: send the line "unsubscribe netfilter" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
