Matthieu Turpault
2003-Sep-15 08:42 UTC
ip_conntrack module, advanced routing and multiple ISP
Hi list,
I have a firewall with 4 NIC:
- 3 interfaces connected to the net (eth2, eth3, eth5) by
3 ISP;
- 1 interface connected to the internal network.
eth2 is connected to a router (10.0.1.1) which does masquerading.
Outcoming request (from the internal network to the net) are load
balanced to the 3 ISP (cf my configuration at the end of the mail).
All incoming request from the net to internal network by port
http, pop3, imap, ftp, smtp, https are correctly routed.
All outcoming request from the internal network to the net by
port http, pop3, imap are correctly routed.
The problem is that I can''t connect from the internal network to
a ftp server of the net. In fact, I can connect to a ftp server
of the net but the "ls" command failed the most of the time (1/3).
I use passive mode.
Can you help me please ?
Thanks in advance
If I add the route by the command
ip route add <@ftpServer> via <@GATEWAY_ISP2>
it is OK
Here is my configuration (long but complete... I hope):
============================================================ Routing table and
rules
============================================================
[root@firewall firewall]# ip ru l
0: from all lookup local
32763: from all fwmark 3 lookup 212
32764: from all fwmark 2 lookup 211
32765: from all fwmark 1 lookup 210
32766: from all lookup main
32767: from all lookup 253
--------------------------------------------------------------
[root@firewall firewall]# ip route list
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default
nexthop via 10.0.1.1 dev eth2 weight 1 onlink
nexthop via <@GATEWAY_ISP2> dev eth5 weight 1 onlink
nexthop via <@GATEWAY_ISP3> dev eth3 weight 1 onlink
--------------------------------------------------------------
[root@firewall firewall]# ip ro l t 210
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via 10.0.1.1 dev eth2
---------------------------------------------------------------
[root@firewall firewall]# ip ro l t 211
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via <@GATEWAY_ISP3> dev eth3
-----------------------------------------------------------------
[root@firewall firewall]# ip ro l t 212
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via <@GATEWAY_ISP2> dev eth5
================================================================= IPTABLES
tables
=================================================================
[root@firewall firewall]# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 531K packets, 34M bytes)
pkts bytes target prot opt in out source
destination
4496 293K net_dnat all -- eth2 * 0.0.0.0/0
0.0.0.0/0
39294 1956K net_dnat all -- eth3 * 0.0.0.0/0
0.0.0.0/0
18601 1158K net_dnat all -- eth5 * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 81932 packets, 4985K bytes)
pkts bytes target prot opt in out source
destination
182K 9122K eth3_masq all -- * eth3 0.0.0.0/0
0.0.0.0/0
166K 8193K eth5_masq all -- * eth5 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 32386 packets, 2508K bytes)
pkts bytes target prot opt in out source
destination
Chain eth3_masq (1 references)
pkts bytes target prot opt in out source
destination
159K 7823K MASQUERADE all -- * * 10.1.0.0/24
0.0.0.0/0
Chain eth5_masq (1 references)
pkts bytes target prot opt in out source
destination
159K 7825K MASQUERADE all -- * * 10.1.0.0/24
0.0.0.0/0
Chain net_dnat (3 references)
(...)
----------------------------------------------------------------
[root@firewall firewall]# iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 4008K packets, 1940M bytes)
pkts bytes target prot opt in out source
destination
2223 168K MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 MARK set 0x1
9364 3221K MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:21 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:20 MARK set 0x1
14916 1413K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst <@ISP2> MARK set 0x3
72454 17M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst <@ISP3> MARK set 0x2
94175 43M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.1.10 MARK set 0x1
4008K 1940M pretos all -- * * 0.0.0.0/0
0.0.0.0/0
1282 108K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc <@ISP2> MARK set 0x3
1327 112K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc <@ISP3> MARK set 0x2
65220 41M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc 10.1.0.10 MARK set 0x1
Chain INPUT (policy ACCEPT 154K packets, 16M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 3828K packets, 1923M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 86903 packets, 5978K bytes)
pkts bytes target prot opt in out source
destination
7587 402K MARK all -- * * <@ISP2> 0.0.0.0/0
MARK set 0x3
24567 1440K MARK all -- * * <@ISP3> 0.0.0.0/0
MARK set 0x2
5332 418K MARK all -- * * 10.0.1.10
0.0.0.0/0 MARK set 0x1
86903 5978K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 3890K packets, 1927M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
712 61690 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
2708 438K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
8 320 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
22272 1209K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
19801 8705K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
2140 112K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
2223 168K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
9364 3221K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
8865 7140K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
============================================================== LOADED MODULES
==============================================================
[root@firewall firewall]# lsmod
Module Size Used by Not tainted
nls_iso8859-15 4060 0 (autoclean)
isofs 28856 0 (autoclean)
zlib_inflate 21764 0 (autoclean) [isofs]
vfat 12204 0 (autoclean)
fat 38072 0 (autoclean) [vfat]
ide-cd 33860 0 (autoclean)
cdrom 32736 0 (autoclean) [ide-cd]
ipt_MARK 1336 13 (autoclean)
ipt_conntrack 1528 6 (autoclean)
ipt_TOS 1592 12 (autoclean)
ipt_MASQUERADE 2200 20 (autoclean)
ipt_LOG 4312 11 (autoclean)
ipt_REJECT 3768 4 (autoclean)
ipt_state 1048 71 (autoclean)
iptable_mangle 2712 1 (autoclean)
ip_nat_irc 3472 0 (unused)
ip_nat_ftp 4240 0 (unused)
iptable_nat 21894 3 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 4400 1 [ip_nat_irc]
ip_conntrack_ftp 5424 1 [ip_nat_ftp]
ip_conntrack 28864 5 [ipt_conntrack ipt_MASQUERADE ipt_state
ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 2348 1 (autoclean)
ip_tables 15424 12 [ipt_MARK ipt_conntrack ipt_TOS
ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_state iptable_mangle iptable_nat
iptable_filter]
af_packet 16328 1 (autoclean)
sundance 16224 3 (autoclean)
eepro100 22228 2 (autoclean)
mii 3980 0 (autoclean) [sundance eepro100]
usb-uhci 26128 0 (unused)
usbcore 77324 1 [usb-uhci]
rtc 8776 0 (autoclean)
reiserfs 183540 5
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/