Hello, first of all apologize for my bad english. the facts : +-------+ leased line--------- eth0| Linux | | box |-eth1------subnet/switch ---clients, servers cablenetwork ------- eth2+-------+ The eth0 interface has 5 aliased ip addresses which portforwarded to servers into subnet. The eth2 interface has 1 ip address. The eth1 interface used for subnet. The linux box masquerades with ipchains (2.2.19 kernel). My goal: I would like to route the outgoing packets (www, mail from clients) on my cablenetwork line, and the incoming packets for servers (dns etc in subnet) should come on the leased line. On the leased line should work the ip aliasing and the portforwarding. Any idea ? -- Géczi Szabolcs GPG: http://www.goodwill.hu/~szabszi/szabszi.asc Fingerprint: B36C 150C C316 5A15 DB5F 183A 303B 5AEB 36C2 3162
On Fri, Jul 12, 2002 at 10:45:58PM +0200, G?czi Szabolcs wrote:> Hello, > > first of all apologize for my bad english.No problem.> the facts : > +-------+ > leased line------- eth0| Linux | > | box |-eth1------subnet/switch ---clients, servers > cablenetwork ----- eth2+-------+ > > > The eth0 interface has 5 aliased ip addresses which portforwarded to > servers into subnet.Ok. How is this forwarding performed? ipchains? rinetd?> The eth2 interface has 1 ip address. > The eth1 interface used for subnet. > The linux box masquerades with ipchains (2.2.19 kernel).The problems are: * Making sure that the default gateway is the cablenet * Except for sessions that went to the 5 aliased ip addresses on eth0, which should have eth0 as their default gateway I think this will be pretty easy with policy routing. echo 200 leased >> /etc/iproute2/rt_tables ip rule add from alias.1.ip.address table leased ip rule add from alias.2.ip.address table leased ip rule add from alias.3.ip.address table leased ip rule add from alias.4.ip.address table leased ip rule add from alias.5.ip.address table leased ip route add default via leased.router.ip dev eth0 table leased However, it *is* possible that this interferes with the aliases. Try this and let us know! See also http://lartc.org/howto/lartc.rpdb.html#LARTC.RPDB.SIMPLE Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO
On Sat, Jul 13, 2002 at 12:54:02PM +0200, bert hubert wrote:> > Great, a little corrections needed, the solution provided by ahu. > > I did what bert wrote, but ahu adviced that I should write ip rule add from > > internal.ip.address table leased, after that the servers in subnet can > > answer. Thanks to Bert and ahu. > > Bert and <ahu> are one guy :-) This means that ipchains acts AFTER the > policy table has been selected. iptables may well go BEFORE - be aware of > that before upgrading.[...]> > Try ''tcpdump -n -i interface'' to see where packets go. They probably go out > the wrong interface.there are some additional problems with routing :). So after I set up my iproute2 (ip rule add, ip route) my servers answer from subnet, BUT the client from subnet can''t reach the linuxbox''s public interface (217.65.110.146) and about this problem, they can''t see the webpage on the linux box. The internal ip address is available from subnet, but the leased line''s public interface cannot be reached. any idea ? -- Géczi Szabolcs GPG: http://www.goodwill.hu/~szabszi/szabszi.asc Fingerprint: B36C 150C C316 5A15 DB5F 183A 303B 5AEB 36C2 3162
On Wed, Jul 17, 2002 at 08:11:50AM +0200, G?czi Szabolcs wrote:> So after I set up my iproute2 (ip rule add, ip route) my servers answer from > subnet, BUT the client from subnet can''t reach the linuxbox''s public > interface (217.65.110.146) and about this problem, they can''t see the > webpage on the linux box. The internal ip address is available from subnet, > but the leased line''s public interface cannot be reached.I''m very busy with powerdns now, but on a guess, turn off the reverse path filter and see if that helps. Otherwise, tcpdump on ALL interfaces individually and see what happens. Go beyond "can''t reach". Regards, bert -- http://www.PowerDNS.com Versatile DNS Software & Services http://www.tk the dot in .tk http://lartc.org Linux Advanced Routing & Traffic Control HOWTO