LARTC - Oct 2006 - Two outbound internet links, using one network interface

Hi,

I am trying to categorize the network traffic and to send it out across 
two different providers.
For this I mark the packets in the firewall (in the PREROUTING chain of 
table mangle),
and then use another routing table for the marked packets, which has a 
different gateway
from the main routing table. Basicaly I am following the cookbook 
example in this page:
http://linux-ip.net/html/adv-multi-internet.html
with some small changes and modifications.

The most important difference is that I am trying to use just one 
external network interface,
which is connected through a hub/switch  to both of the  ISP links. I 
add two different IPs
to this interface, corresponding to each providers network. Then the 
masquerading is done
with a rule like this:

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE  

instead of:

# iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12
# iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 205.254.211.179

For the traffic that is generated in the LAN behind the box, it works, 
but for the
traffic that is generated in the localhost (routing box), it does not work.
Indeed, it cannot possibly work for the localhost with a setup like this 
(with only
one external interface). As it can be seen in this document:
http://www.faqs.org/docs/iptables/traversingoftables.html
(Table 3-2. Source local host)
routing decision happens before the packet enters the chains of the iptables
(the chain PREROUTING is not tranversed in this case).

This is not a big problem (it is not so important that the traffic of 
the routing box
be categorized as well), but trying to solve it, I came up with another 
solution,
which seems simpler.The idea is to use something like this:

---------------------------------------------------------------------------------
IPT=/sbin/iptables
PORT_LIST="22 53"
GATEWAY1=192.168.10.1
GATEWAY2=192.168.100.1

for PORT in $PORT_LIST
do
  $IPT -t nat -A POSTROUTING -o eth0 \
               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
done

$IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
-----------------------------------------------------------------------------


I have not tested it yet but I don''t see why it should not work.

Also, I have seen somewhere that using two IPs on the same interface may 
be risky
(may have security implications), but I don''t see what they can be. If 
somebody has
any idea of them and how to avoid them, please let me know. E.g. I have 
heard about
"IP spoofing" but I don''t understand what it is.

Regards,
Dashamir

Dashamir Hoxha wrote:
> Hi,
>
> I am trying to categorize the network traffic and to send it out 
> across two different providers.
> For this I mark the packets in the firewall (in the PREROUTING chain 
> of table mangle),
> and then use another routing table for the marked packets, which has a 
> different gateway
> from the main routing table. Basicaly I am following the cookbook 
> example in this page:
> http://linux-ip.net/html/adv-multi-internet.html
> with some small changes and modifications.
>
> The most important difference is that I am trying to use just one 
> external network interface,
> which is connected through a hub/switch  to both of the  ISP links. I 
> add two different IPs
> to this interface, corresponding to each providers network. Then the 
> masquerading is done
> with a rule like this:
>
> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
> instead of:
>
> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12
> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
> 205.254.211.179
>
How about using iproute2 (instead of MASQ / SNAT rule):

=> ip route add 192.168.10.0/24 dev eth0 src 192.168.10.1
=> ip route add 192.168.100.0/24 dev eth0 src 192.168.100.1

> For the traffic that is generated in the LAN behind the box, it works, 
> but for the
> traffic that is generated in the localhost (routing box), it does not 
> work.
> Indeed, it cannot possibly work for the localhost with a setup like 
> this (with only
> one external interface). As it can be seen in this document:
> http://www.faqs.org/docs/iptables/traversingoftables.html
> (Table 3-2. Source local host)
> routing decision happens before the packet enters the chains of the 
> iptables
> (the chain PREROUTING is not tranversed in this case).
>
> This is not a big problem (it is not so important that the traffic of 
> the routing box
> be categorized as well), but trying to solve it, I came up with 
> another solution,
> which seems simpler.The idea is to use something like this:
>
>
---------------------------------------------------------------------------------
>
> IPT=/sbin/iptables
> PORT_LIST="22 53"
> GATEWAY1=192.168.10.1
> GATEWAY2=192.168.100.1
>
> for PORT in $PORT_LIST
> do
>  $IPT -t nat -A POSTROUTING -o eth0 \
>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
> done
>
> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
>
-----------------------------------------------------------------------------
>
> I have not tested it yet but I don''t see why it should not work.
>
> Also, I have seen somewhere that using two IPs on the same interface 
> may be risky
> (may have security implications), but I don''t see what they can
be. If
> somebody has
> any idea of them and how to avoid them, please let me know. E.g. I 
> have heard about
> "IP spoofing" but I don''t understand what it is.

Using VLANs, you can separate the networks on the link level instead. 
This is the same (in software) as using 2 different LAN ports (in hardware).

Regards,

Z.

Dashamir Hoxha wrote:
> Hi,
>
> I am trying to categorize the network traffic and to send it out 
> across two different providers.
> For this I mark the packets in the firewall (in the PREROUTING chain 
> of table mangle),
> and then use another routing table for the marked packets, which has a 
> different gateway
> from the main routing table. Basicaly I am following the cookbook 
> example in this page:
> http://linux-ip.net/html/adv-multi-internet.html
> with some small changes and modifications.
>
> The most important difference is that I am trying to use just one 
> external network interface,
> which is connected through a hub/switch  to both of the  ISP links. I 
> add two different IPs
> to this interface, corresponding to each providers network. Then the 
> masquerading is done
> with a rule like this:
>
> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
> instead of:
>
> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12
> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
> 205.254.211.179
>
> For the traffic that is generated in the LAN behind the box, it works, 
> but for the
> traffic that is generated in the localhost (routing box), it does not 
> work.
> Indeed, it cannot possibly work for the localhost with a setup like 
> this (with only
> one external interface). As it can be seen in this document:
> http://www.faqs.org/docs/iptables/traversingoftables.html
> (Table 3-2. Source local host)
> routing decision happens before the packet enters the chains of the 
> iptables
> (the chain PREROUTING is not tranversed in this case).
>
> This is not a big problem (it is not so important that the traffic of 
> the routing box
> be categorized as well), but trying to solve it, I came up with 
> another solution,
> which seems simpler.The idea is to use something like this:
>
>
---------------------------------------------------------------------------------
>
> IPT=/sbin/iptables
> PORT_LIST="22 53"
> GATEWAY1=192.168.10.1
> GATEWAY2=192.168.100.1
>
> for PORT in $PORT_LIST
> do
>  $IPT -t nat -A POSTROUTING -o eth0 \
>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
> done
>
> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
>
-----------------------------------------------------------------------------
>
>
>
> I have not tested it yet but I don''t see why it should not work.
 From the testing and meditation that I have done up to now, I have arrived
at the conclusion that this is not a solution for the problem of traffic 
categorization.
The reason is that POSTROUTING happens after the routing decision is taken,
so the route that is chosen is not affected by the source IP of the packet.
Am I right?
>
> Also, I have seen somewhere that using two IPs on the same interface 
> may be risky
> (may have security implications), but I don''t see what they can
be. If
> somebody has
> any idea of them and how to avoid them, please let me know. E.g. I 
> have heard about
> "IP spoofing" but I don''t understand what it is.
>
> Regards,
> Dashamir
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>

Dashamir Hoxha wrote:
> Dashamir Hoxha wrote:
>> Hi,
>>
>> I am trying to categorize the network traffic and to send it out 
>> across two different providers.
>> For this I mark the packets in the firewall (in the PREROUTING chain 
>> of table mangle),
>> and then use another routing table for the marked packets, which has 
>> a different gateway
>> from the main routing table. Basicaly I am following the cookbook 
>> example in this page:
>> http://linux-ip.net/html/adv-multi-internet.html
>> with some small changes and modifications.
>>
>> The most important difference is that I am trying to use just one 
>> external network interface,
>> which is connected through a hub/switch  to both of the  ISP links. I 
>> add two different IPs
>> to this interface, corresponding to each providers network. Then the 
>> masquerading is done
>> with a rule like this:
>>
>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of:
>>
>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source
67.17.28.12
>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
>> 205.254.211.179
>>
>> For the traffic that is generated in the LAN behind the box, it 
>> works, but for the
>> traffic that is generated in the localhost (routing box), it does not 
>> work.
>> Indeed, it cannot possibly work for the localhost with a setup like 
>> this (with only
>> one external interface). As it can be seen in this document:
>> http://www.faqs.org/docs/iptables/traversingoftables.html
>> (Table 3-2. Source local host)
>> routing decision happens before the packet enters the chains of the 
>> iptables
>> (the chain PREROUTING is not tranversed in this case).
>>
>> This is not a big problem (it is not so important that the traffic of 
>> the routing box
>> be categorized as well), but trying to solve it, I came up with 
>> another solution,
>> which seems simpler.The idea is to use something like this:
>>
>>
---------------------------------------------------------------------------------
>>
>> IPT=/sbin/iptables
>> PORT_LIST="22 53"
>> GATEWAY1=192.168.10.1
>> GATEWAY2=192.168.100.1
>>
>> for PORT in $PORT_LIST
>> do
>>  $IPT -t nat -A POSTROUTING -o eth0 \
>>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
>> done
>>
>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
>>
-----------------------------------------------------------------------------
>>
>>
>>
>> I have not tested it yet but I don''t see why it should not
work.
>
for PORT in $PORT_LIST
do
 $IPT -t nat -A PREROUTING -i eth_clients \
              -p tcp --dport $PORT -j MARK --set-mark 0x01
done

$IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT 
--to-source $GATEWAY2
$IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
$GATEWAY1
> From the testing and meditation that I have done up to now, I have 
> arrived
> at the conclusion that this is not a solution for the problem of 
> traffic categorization.
> The reason is that POSTROUTING happens after the routing decision is 
> taken,
> so the route that is chosen is not affected by the source IP of the 
> packet.
> Am I right?
>
>>
>> Also, I have seen somewhere that using two IPs on the same interface 
>> may be risky
>> (may have security implications), but I don''t see what they
can be.
>> If somebody has
>> any idea of them and how to avoid them, please let me know. E.g. I 
>> have heard about
>> "IP spoofing" but I don''t understand what it is.
>>
>> Regards,
>> Dashamir
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Radu Oprisan wrote:
> Dashamir Hoxha wrote:
>> Dashamir Hoxha wrote:
>>> Hi,
>>>
>>> I am trying to categorize the network traffic and to send it out 
>>> across two different providers.
>>> For this I mark the packets in the firewall (in the PREROUTING
chain
>>> of table mangle),
>>> and then use another routing table for the marked packets, which
has
>>> a different gateway
>>> from the main routing table. Basicaly I am following the cookbook 
>>> example in this page:
>>> http://linux-ip.net/html/adv-multi-internet.html
>>> with some small changes and modifications.
>>>
>>> The most important difference is that I am trying to use just one 
>>> external network interface,
>>> which is connected through a hub/switch  to both of the  ISP links.
>>> I add two different IPs
>>> to this interface, corresponding to each providers network. Then
the
>>> masquerading is done
>>> with a rule like this:
>>>
>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of:
>>>
>>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 
>>> 67.17.28.12
>>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
>>> 205.254.211.179
>>>
>>> For the traffic that is generated in the LAN behind the box, it 
>>> works, but for the
>>> traffic that is generated in the localhost (routing box), it does 
>>> not work.
>>> Indeed, it cannot possibly work for the localhost with a setup like
>>> this (with only
>>> one external interface). As it can be seen in this document:
>>> http://www.faqs.org/docs/iptables/traversingoftables.html
>>> (Table 3-2. Source local host)
>>> routing decision happens before the packet enters the chains of the
>>> iptables
>>> (the chain PREROUTING is not tranversed in this case).
>>>
>>> This is not a big problem (it is not so important that the traffic 
>>> of the routing box
>>> be categorized as well), but trying to solve it, I came up with 
>>> another solution,
>>> which seems simpler.The idea is to use something like this:
>>>
>>>
---------------------------------------------------------------------------------
>>>
>>> IPT=/sbin/iptables
>>> PORT_LIST="22 53"
>>> GATEWAY1=192.168.10.1
>>> GATEWAY2=192.168.100.1
>>>
>>> for PORT in $PORT_LIST
>>> do
>>>  $IPT -t nat -A POSTROUTING -o eth0 \
>>>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
>>> done
>>>
>>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
>>>
-----------------------------------------------------------------------------
>>>
>>>
>>>
>>> I have not tested it yet but I don''t see why it should not
work.
>>
>
> for PORT in $PORT_LIST
> do
>
$IPT -t mangle -A PREROUTING -i eth_clients \
             -p tcp --dport $PORT -j MARK --set-mark
0x01
> done
>
> $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT 
> --to-source $GATEWAY2
> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
I''m sorry....

Radu Oprisan wrote:
> Radu Oprisan wrote:
>> Dashamir Hoxha wrote:
>>> Dashamir Hoxha wrote:
>>>> Hi,
>>>>
>>>> I am trying to categorize the network traffic and to send it
out
>>>> across two different providers.
>>>> For this I mark the packets in the firewall (in the PREROUTING 
>>>> chain of table mangle),
>>>> and then use another routing table for the marked packets,
which
>>>> has a different gateway
>>>> from the main routing table. Basicaly I am following the
cookbook
>>>> example in this page:
>>>> http://linux-ip.net/html/adv-multi-internet.html
>>>> with some small changes and modifications.
>>>>
>>>> The most important difference is that I am trying to use just
one
>>>> external network interface,
>>>> which is connected through a hub/switch  to both of the  ISP
links.
>>>> I add two different IPs
>>>> to this interface, corresponding to each providers network.
Then
>>>> the masquerading is done
>>>> with a rule like this:
>>>>
>>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead
of:
>>>>
>>>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 
>>>> 67.17.28.12
>>>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
>>>> 205.254.211.179
>>>>
>>>> For the traffic that is generated in the LAN behind the box, it
>>>> works, but for the
>>>> traffic that is generated in the localhost (routing box), it
does
>>>> not work.
>>>> Indeed, it cannot possibly work for the localhost with a setup
like
>>>> this (with only
>>>> one external interface). As it can be seen in this document:
>>>> http://www.faqs.org/docs/iptables/traversingoftables.html
>>>> (Table 3-2. Source local host)
>>>> routing decision happens before the packet enters the chains of
the
>>>> iptables
>>>> (the chain PREROUTING is not tranversed in this case).
>>>>
>>>> This is not a big problem (it is not so important that the
traffic
>>>> of the routing box
>>>> be categorized as well), but trying to solve it, I came up with
>>>> another solution,
>>>> which seems simpler.The idea is to use something like this:
>>>>
>>>>
---------------------------------------------------------------------------------
>>>>
>>>> IPT=/sbin/iptables
>>>> PORT_LIST="22 53"
>>>> GATEWAY1=192.168.10.1
>>>> GATEWAY2=192.168.100.1
>>>>
>>>> for PORT in $PORT_LIST
>>>> do
>>>>  $IPT -t nat -A POSTROUTING -o eth0 \
>>>>               -p tcp --dport $PORT -j SNAT --to-source
$GATEWAY2
>>>> done
>>>>
>>>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
$GATEWAY1
>>>>
-----------------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>> I have not tested it yet but I don''t see why it should
not work.
>>>
>>
>> for PORT in $PORT_LIST
>> do
>>
> $IPT -t mangle -A PREROUTING -i eth_clients \
>             -p tcp --dport $PORT -j MARK --set-mark 0x01
>> done
>>
>> $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT 
>> --to-source $GATEWAY2
>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
> I''m sorry....
Ok, it may work like this, I have to try it.
By the way, instead of $GATEWAY1 and $GATEWAY2 above, $IP1 and $IP2
must be used instead; it was a mistake.

Using VLANs, you can separate the networks on the link level instead. 
This is the same (in software) as using 2 different LAN ports (in 
hardware).

Thanks for the suggestion. I am trying it, and it seems very easy to be 
used.
However the problem is that it is not working.
I am doing it like this:

# /sbin/modprobe 8021q
# /sbin/vconfig add eth0 2
# /sbin/ip link set eth0.2 up
# /sbin/ip addr add 192.168.10.2/24 dev eth0.2

When I try: `ping 192.168.10.1` it says "Destination Host
Unreachable".
Both IPs are connected to the same switch. Does anybody know what can be 
wrong?

Dashamir

Dashamir Hoxha wrote:
> Using VLANs, you can separate the networks on the link level instead. 
> This is the same (in software) as using 2 different LAN ports (in 
> hardware).
>
> Thanks for the suggestion. I am trying it, and it seems very easy to 
> be used.
> However the problem is that it is not working.
> I am doing it like this:
>
> # /sbin/modprobe 8021q
> # /sbin/vconfig add eth0 2
> # /sbin/ip link set eth0.2 up
> # /sbin/ip addr add 192.168.10.2/24 dev eth0.2
>
> When I try: `ping 192.168.10.1` it says "Destination Host
Unreachable".
> Both IPs are connected to the same switch. Does anybody know what can 
> be wrong?
>
> Dashamir
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
You need a switch with 802.1q vlan support (cisco for example). The 
network card need to be pluged in a switch port in "trunk" mode, and
the
providers each in its access switch port in specified vlan (like 2).

PREROUTING chain is not traversed by local traffic, but OUTPUT chain does. 
What about this script?

---------------------------------------------------------------------------------

IPT=/sbin/iptables
PORT_LIST="22 53"
for PORT in $PORT_LIST
do
$IPT -t mangle -A PREROUTING -p tcp --dport $PORT -s <ip-lan> -j MARK 
--set-mark 4
$IPT -t mangle -A OUTPUT -p tcp --dport $PORT -s <ip-lan> -j MARK
--set-mark
4
done

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ip route add 192.168.10.0/24 dev eth0 table 4
ip route add default via 192.168.10.1 table 4

ip rule add fwmark 4 table 4

Paolo Malfatti
CiDiS Camiri

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.latam.msn.com/

From:  Dashamir Hoxha 
To:  Pio Mendez 
Subject:  Re: [LARTC] Two outbound internet links, using one network interface
Date:  Thu, 12 Oct 2006 14:37:19 +0200
>Pio Mendez wrote:
>>PREROUTING chain is not traversed by local traffic, but OUTPUT 
>>chain does.
>
>I think that OUTPUT is traversed after routing decision is taken, so 
>it is still the same problem.

I''m using OUTPUT chain in production environment to balance squid box
traffic between 2 ISP, so I''m sure that you can reroute output packets
using mangle OUTPUT chain.

After traversing mangle and nat OUTPUT chains there is another routing process.
Please check this diagram:

http://www.imagestream.com/~josh/PacketFlow.png

Las mejores tiendas, los precios mas bajos, entregas en todo el mundo, YupiMSN
Compras:  Haz clic aquí...

--===============0009467544=Content-Type: text/plain;
charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

--===============0009467544==--

Pio Mendez wrote:
> PREROUTING chain is not traversed by local traffic, but OUTPUT chain 
> does. 
I think that OUTPUT is traversed after routing decision is taken, so it 
is still the same problem.

Alexandru Dragoi wrote:
> You need a switch with 802.1q vlan support (cisco for example). The 
> network card need to be pluged in a switch port in "trunk" mode,
and
> the providers each in its access switch port in specified vlan (like 2).
Since I don''t have a switch like that, then I guess I should go back to
the first solution,
adding two IP-s to the same network interface. The problem of localhost 
traffic not being
categorized, still exists, but this is not so important, since the box 
is going to serve like
a router.

So, the solution, up to now looks like this:

-------------8<----------------------------------
ip link set eth0 up
ip address flush eth0
ip address add $IP1 dev eth0
ip address add $IP2 dev eth0

route add to default via $GATEWAY1

ip route flush table 2
ip route show table main | grep -Ev ^default \
 | while read ROUTE ; do ip route add table 2 $ROUTE ; done
ip route add table 2 default via $GATEWAY2

ip rule del fwmark 2 table 2   2>/dev/null
ip rule add fwmark 2 table 2

PORT_LIST="22 53"
for PORT in $PORT_LIST
do
 iptables -t mangle -A PREROUTING -m tcp -p tcp -dport $PORT -j MARK 
--set-mark 0x2
done

iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT 
--to-source $IP2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
------------8<---------------------------------

Thanks to Radu Oprisan for the SNAT rules suggestion, because in general
they are better than -j MASQUERADE.

What remains to be done now is:

1 - What are the (security) problems related to this solution (two IPs 
in one interface)
    and how to avoid them.

2 - How to do backup connection, i.e. when one of the lines goes down, 
the other one
    is used automaticly. One way may be to use ping, in order to 
discover when
    a gateway is down, and then to switch to the other.

Has anybody any idea on these topics?

Thanks.
Dashamir

Pio Mendez wrote:
>
>  
>
>     >Pio Mendez wrote:
>     >>PREROUTING chain is not traversed by local traffic, but OUTPUT
>     >>chain does.
>     >
>     >I think that OUTPUT is traversed after routing decision is taken,
so
>     >it is still the same problem.
>
>
>     I''m using OUTPUT chain in production environment to balance
squid
>     box traffic between 2 ISP, so I''m sure that you can reroute
output
>     packets using mangle OUTPUT chain.
>
>     After traversing mangle and nat OUTPUT chains there is another
>     routing process. Please check this diagram:
>
>     http://www.imagestream.com/~josh/PacketFlow.png
>     <http://www.imagestream.com/%7Ejosh/PacketFlow.png>
>
Pio Mendez is right. I have just tested it and it works.
Now the script becomes something like this:

-------------8<----------------------------------
ip link set eth0 up
ip address flush eth0
ip address add $IP1 dev eth0
ip address add $IP2 dev eth0

route add to default via $GATEWAY1

ip route flush table 2
ip route show table main | grep -Ev ^default \
 | while read ROUTE ; do ip route add table 2 $ROUTE ; done
ip route add table 2 default via $GATEWAY2

ip rule del fwmark 2 table 2   2>/dev/null
ip rule add fwmark 2 table 2

iptables -t mangle -N MARK-RULES
iptables -t mangle -A PREROUTING -j MARK-RULES
iptables -t mangle -A OUTPUT -j MARK-RULES

PORT_LIST="22 53"
for PORT in $PORT_LIST
do
 iptables -t mangle -A MARK-RULES -m tcp -p tcp -dport $PORT -j MARK 
--set-mark 0x2
done

iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT 
--to-source $IP2
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
------------8<---------------------------------

Dashamir Hoxha wrote:
> Pio Mendez wrote:
>>
>>  
>>
>>     >Pio Mendez wrote:
>>     >>PREROUTING chain is not traversed by local traffic, but
OUTPUT
>>     >>chain does.
>>     >
>>     >I think that OUTPUT is traversed after routing decision is 
>> taken, so
>>     >it is still the same problem.
>>
>>
>>     I''m using OUTPUT chain in production environment to
balance squid
>>     box traffic between 2 ISP, so I''m sure that you can
reroute output
>>     packets using mangle OUTPUT chain.
>>
>>     After traversing mangle and nat OUTPUT chains there is another
>>     routing process. Please check this diagram:
>>
>>     http://www.imagestream.com/~josh/PacketFlow.png
>>     <http://www.imagestream.com/%7Ejosh/PacketFlow.png>
>>
> Pio Mendez is right. I have just tested it and it works.
If I use:
     iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
instead of:
     iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT 
--to-source $IP2
     iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
it seems not to work. So, maybe I didn''t test it properly and actualy
it doesn''t work. Anyway, it is not so important.

Dashamir
> Now the script becomes something like this:
>
> -------------8<----------------------------------
> ip link set eth0 up
> ip address flush eth0
> ip address add $IP1 dev eth0
> ip address add $IP2 dev eth0
>
> route add to default via $GATEWAY1
>
> ip route flush table 2
> ip route show table main | grep -Ev ^default \
> | while read ROUTE ; do ip route add table 2 $ROUTE ; done
> ip route add table 2 default via $GATEWAY2
>
> ip rule del fwmark 2 table 2   2>/dev/null
> ip rule add fwmark 2 table 2
>
> iptables -t mangle -N MARK-RULES
> iptables -t mangle -A PREROUTING -j MARK-RULES
> iptables -t mangle -A OUTPUT -j MARK-RULES
>
> PORT_LIST="22 53"
> for PORT in $PORT_LIST
> do
> iptables -t mangle -A MARK-RULES -m tcp -p tcp -dport $PORT -j MARK 
> --set-mark 0x2
> done
>
> iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT 
> --to-source $IP2
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
> ------------8<---------------------------------
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>