LARTC - Apr 2003 - Multiple gateways from multiple ISPs: how to add specific routes?

I have a box here with six ADSLs, two from each of three providers.
The system is setup in direct accordance with the configuration outlined 
in the Nano-HOWTO.txt.

To problem now is that most of the offered services from the ISPs 
servers are only open to IPs on their own IP netblocks.
(This is not new, however ;-)

This means that I''d have to put in rules and/or routes that handles 
these nets specifically and routes the traffic through the proper gateway.

My idea is to put in a rule (or several) like this:

# ip rule add prio 100 to $ISP1_DNS/32 table 100
(or ip rule add prio 100 to $ISP1_NET/$ISP1_NETMASK table 100)

This rule should be put in charge of the following routes:

#ip route add default via $WAN1_GW dev $WAN1_DEV src $WAN1_IP \
proto static table 100

#ip route append prohibit default table 100 metric 1 proto static

(These lines are based on the rest of the setup).

Is this correct?
Is this the way to go?
What is "best practice" in this matter?

(Maybe I have not seen the light yet...)

*************************************

Here is an outline of the setup:

nanobox:~# ip rule
0:      from all lookup local
50:     from all lookup main
201:    from 111.1.1.0/25 lookup 201
202:    from 112.1.1.0/25 lookup 202
203:    from 121.1.1.0/30 lookup 203
204:    from 122.1.1.0/30 lookup 204
205:    from 131.1.1.0/30 lookup 205
206:    from 132.1.1.0/30 lookup 206
222:    from all lookup 222
32767:  from all lookup default

Theres six of these:
nanobox:~# ip ro ls table 201
default via 111.1.1.1 dev eth1  proto static  src 111.1.1.2
prohibit default  proto static  metric 1

ungdomsbo:~# ip ro ls table 222
default  proto static
         nexthop via 111.1.1.1  dev eth1 weight 1
         nexthop via 112.1.1.1  dev eth2 weight 1
         nexthop via 121.1.1.1  dev eth3 weight 1
         nexthop via 122.1.1.1  dev eth4 weight 1
         nexthop via 131.1.1.1  dev eth5 weight 1
         nexthop via 132.1.1.1  dev eth6 weight 1

nanobox:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
keep_state  all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
keep_state  all  --  anywhere             anywhere
SNAT       all  --  172.16.0.0/16        anywhere           to:111.1.1.2
SNAT       all  --  172.16.0.0/16        anywhere           to:112.1.1.2
SNAT       all  --  172.16.0.0/16        anywhere           to:121.1.1.2
SNAT       all  --  172.16.0.0/16        anywhere           to:122.1.1.2
SNAT       all  --  172.16.0.0/16        anywhere           to:131.1.1.2
SNAT       all  --  172.16.0.0/16        anywhere           to:132.1.1.2

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
keep_state  all  --  anywhere             anywhere

Chain keep_state (3 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state 
RELATED,ESTABLISHED
RETURN     all  --  anywhere             anywhere


* Probably no need to say, but all IPs are fake except for the internal 
RFC1918-ish net ;-)

-- 
Mvh. / Best regards,
Steen Suder		<http://www.suder.dk/>
ICQ UIN			4133803

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Steen,

 : I have a box here with six ADSLs, two from each of three providers. The
 : system is setup in direct accordance with the configuration outlined in
 : the Nano-HOWTO.txt.

Damn!  That''s a pile of DSL lines.

 : This means that I''d have to put in rules and/or routes that handles
 : these nets specifically and routes the traffic through the proper
 : gateway.

Why not use a technique like this, assuming that nexthops 111.1.1.1 and
112.1.1.1 are both connected to ISP 1''s network?

# ip route add $ISP1_DNS/32 table 222 \
>          nexthop via 111.1.1.1  dev eth1 weight 1 \
>          nexthop via 112.1.1.1  dev eth2 weight 1
  OR, more generally,

# ip route add $ISP1_NET/$ISP1_NETMASK table 222 \
>          nexthop via 111.1.1.1  dev eth1 weight 1 \
>          nexthop via 112.1.1.1  dev eth2 weight 1
Now, you simply add a similar set of rules for each subnet inside the
provider which needs to be reached through a particular set of the ADSL
links.

Seems simpler than creating new routing tables and adding more entries to
the RPDB.  (I subscribe to the keep-it-simple-stupid philosophy of network
administration.)

 : Is this correct?

I don''t know.

 : Is this the way to go?

I don''t know.

 : What is "best practice" in this matter?

I don''t know.

I sure hope somebody else on the list knows.

[ snipped "ip route" and iptables output ]

Thanks very much for the detailed description.....

Good luck--I imagine I''m not the only one who''d like to hear
what you end
up doing.

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/