Hi,
I have the following situation to handle: a linux box is a firewall and router
of my internal network (192.168.1.0/24). This firewall is connected to the net
through two network cards that connect to two different gateways. A picture of
the situation is the following:
________
+------------+ /
| | |
+-------------+ Provider 1 +-------
__ | | | /
___/ \_ +------+-------+ +------------+ |
_/ \__ | if1 | /
/ \ | | |
| Local network -----+ Linux router | | Internet
\_ __/ | | |
\__ __/ | if2 | \
\___/ +------+-------+ +------------+ |
| | | \
+-------------+ Provider 2 +-------
| | |
+------------+ \________
In the intranet (that is NATED) i have two services, web and a specific service
connected to a private protocol. Lets say that some client connects from the
net to my web server comming from one of the providers. The package is then
redirected to the server in the intranet by the linux box. So how do I make sure
( i am using iproute and iptables) that the answer by the server( web) when it
reaches the linux box gets sent through the same provider the request came
from? I can make it work for requests that stop at the firewall, but not for the
ones that go into the intranet. If I mark the packages (using the mangle
table) that are redirected to the web server does it happen that the mark comes
back together with the answer from the web so that I could send them through the
right gateway?
Thanks in advance for your atention,
Aldrovando Luís Azeredo
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hello Aldrovando,
This is a not uncommon problem.
: I have the following situation to handle: a linux box is a firewall
: and router of my internal network (192.168.1.0/24). This firewall is
: connected to the net through two network cards that connect to two
: different gateways. A picture of the situation is the following:
[ snipped netmap ]
Quick summary of configuration:
- private (rfc1918) internal network with services published to the
world
- two public networks
- a single service (in the internal network) which should be reachable
on an IP in each public network
[ snipped some text ]
: The package is then redirected to the server in the intranet by the
: linux box. So how do I make sure ( i am using iproute and iptables)
: that the answer by the server( web) when it reaches the linux box gets
: sent through the same provider the request came from?
The key to the general solution of this problem is to use separate pairs
of IPs for the entire path from the outside world to the internal network.
The internal service (e.g., webserver) must host two IP addresses. One IP
address can be reached via DNAT from public network 1 and the other IP
address can be reached via DNAT from the other network.
See also the following:
http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound
http://lists.netfilter.org/pipermail/netfilter/2001-May/011697.html
http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN616
And don''t forget to turn off reverse path filtering!
(/proc/sys/net/ipv4/conf/all/rp_filter)
Best of luck,
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/