LARTC - Oct 2002 - A little problem with Split access?

Hi

I am having a little problem with IP MASQ and IPROUTE2.
I am using RedHat 8.0 with IPTABLES.

I have a linux gateway server with 3 NICs.

I set up the linux server as the below. As the result, it works fine(
192.168.0.x can access the internet by masquerading via eth2
and external internet can access the eth1 and eth2).
But the problem is that the hosts in the local network (192.168.0.x) can not
access the ip addresses of 211.x.x.155(eth2) and 218.x.x.20(eth1), even though
ip forwarding is
turned on. It can only ping and access via 192.168.0.1(IP of eth0)

Could someone please sugguested me the solutions?

Thanks in advance.


My environment ans settings:

Local Network      +------------+ eth1(218.x.x.20) --> ISP1
(192.168.0.x) --- | Linux Server |--------
                eth0   |                   |
      192.168.0.1  |                    |--------
                         +-------------+ eth2(211.x.x.155) -->ISP2

The eth1 and eth2 are the links to internet. I  have 2 providers to Internet
and I would like to use eth2 as the default route to internet from Local
Network(192.168.0.x) and eth1 as for the servers(DNS, mail, web) that people
from external Internet
to access. The reason behind that is that provider ISP2 are not
allowing me to run servers on that link, so I had to setup another link for
servers(eth1).

The IP masqurading is used and ip forwarding is turned on.
----
#!/bin/sh

echo 1 > /proc/sys/net/ipv4/ip_forward

/sbin/ip route add 211.x.x.128 dev eth2 src 211.x.x.155 table SI
/sbin/ip route add default via 211.x.x.129 table SI
/sbin/ip route add 218.x.x.0 dev eth1 src 218.x.x.20 table KT
/sbin/ip route add default via 218.x.x.1 table KT

/sbin/ip route add 211.x.x.128 dev eth2 src 211.x.x.155
/sbin/ip route add 218.x.x.0 dev eth1 src 218.x.x.20

/sbin/ip route add default via 211.x.x.129

/sbin/ip rule add from 211.x.x.155 table SI
/sbin/ip rule add from 218.x.x.20 table KT

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
---------------
this script is run in the rc.local if the ifup scripts are executed.

[root@www root]# ip route show
211.x.x.128 dev eth2  scope link  src 211.x.x.155
218.x.x.0 dev eth1  scope link  src 218.x.x.20
211.x.x.128/25 dev eth2  scope link
192.168.0.0/24 dev eth0  scope link
218.x.x.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 211.x.x.129 dev eth2

[root@www root]# ip route show table SI
211.x.x.128 dev eth2  scope link  src 211.x.x.155
default via 211.x.x.129 dev eth2
[root@www root]# ip route show table KT
218.x.x.0 dev eth1  scope link  src 218.x.x.20
default via 218.x.x.1 dev eth1

,S
f쥤)+-喚L)쉳Y슍=jya뛴쥤f쬿_)fj얎?빁s뻃텫빁듺

Sean,

 : But the problem is that the hosts in the local network (192.168.0.x)
 : can not access the ip addresses of 211.x.x.155(eth2) and
 : 218.x.x.20(eth1), even though ip forwarding is turned on. It can only
 : ping and access via 192.168.0.1(IP of eth0)

There are a few things you can/should do to try to determine what''s 
happening to your packets.  I think you have been bitten by the multiple 
routing tables gotcha!  For the record, your iptables and most of 
your ip route commands are just fine.  Let''s take a closer look at your
routing tables, though.

All is well in the main routing table:

 : [root@www root]# ip route show
 : 211.x.x.128 dev eth2  scope link  src 211.x.x.155
 : 218.x.x.0 dev eth1  scope link  src 218.x.x.20
 : 211.x.x.128/25 dev eth2  scope link
 : 192.168.0.0/24 dev eth0  scope link
 : 218.x.x.0/24 dev eth1  scope link
 : 127.0.0.0/8 dev lo  scope link
 : default via 211.x.x.129 dev eth2

But here, your ancillary routing tables only know of destinations on the 
greater Internet.  Each of these routing tables needs to know that 
192.168.0.0/24 is reachable via eth0.  Neither table has been populated 
this way.

 : [root@www root]# ip route show table SI
 : 211.x.x.128 dev eth2  scope link  src 211.x.x.155
 : default via 211.x.x.129 dev eth2
 :
 : [root@www root]# ip route show table KT
 : 218.x.x.0 dev eth1  scope link  src 218.x.x.20
 : default via 218.x.x.1 dev eth1

That wouldn''t be the end of the world except that you add these rules:

 : /sbin/ip rule add from 211.x.x.155 table SI
 : /sbin/ip rule add from 218.x.x.20 table KT

So, you can either add routes for 192.168.0.0/24 to tables SI and KT or 
you can add another rule to handle all traffic bound for 192.168.0.0/24

here''s the ip rule solution, which will need to be the last rule added
to
your RPDB:

# ip rule add to 192.168.0.0/24 lookup main

here''s a simple script to run when creating ancillary routing tables

 - after creating the routing table in main
 - before adding the default route to the new table

Here''s a bash snippet which will copy the main routing table to table 
SI for you:

# ip route show table main | grep -Ev ^default \
>   | while read ROUTE ; do
>     ip route add table SI $ROUTE
> done
Good luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com








_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/