hello... i''ve got an annoying problems that makes me think that i want
to do something that is impossible... :) explanation:
i''ve two dsl lines and a linux box as a "load balancer".
some traffic goes out by eth0 and other goes out by eth1. (i mark the packets
with iptables and then have 2 route tables)
i''m currently forwarding some incoming connections (to the port 80 on
eth0) to another host inside the network. this works without problems as long as
eth0 is the default gateway.
trying to forward connections on eth1 port 80 with eth0 as the default gateway
results in the linux box loosing the answer packet from the host inside the
network.
diagram:
inet | - isp1 -- eth0\
| - LINUX ROUTER - eth2 - swith - "server host"
| - isp2 -- eth1/
# ip ro sh
81.33.13.128 dev eth1 scope link src 81.33.13.174
80.25.88.192 dev eth0 scope link src 80.25.88.228
80.25.88.192/26 dev eth0 proto kernel scope link src 80.25.88.228
81.33.13.128/26 dev eth1 proto kernel scope link src 81.33.13.174
172.16.0.0/16 dev eth2 proto kernel scope link src 172.16.0.2
default via 80.25.88.193 dev eth0
because eth0 is the default gw, i can forward incoming connections on eth0 to
the "server host".
can anyone help me so i can forward conections happening on both interfaces
(eth0 & eth1, doesn''t matter who is the default gw) ?
thanks in advance....
--
-- gnupg keyfingerprint -- 48AF 5BF9 8F54 2966 64CC 2327 7CD0 DD91 B09D 5799
-- Use of a keyboard or mouse may be linked to serious injuries or disorders.
Diego Torres - dtorres@coral.dnsalias.org - Madrid / EspaƱa
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Diego! : hello... i''ve got an annoying problems that makes me think that i want : to do something that is impossible... :) explanation: No--not impossible. Not trivial--but not impossible. : i''ve two dsl lines and a linux box as a "load balancer". some traffic : goes out by eth0 and other goes out by eth1. (i mark the packets with : iptables and then have 2 route tables) : i''m currently forwarding some incoming connections (to the port 80 on : eth0) to another host inside the network. this works without problems : as long as eth0 is the default gateway. : : trying to forward connections on eth1 port 80 with eth0 as the default : gateway results in the linux box loosing the answer packet from the : host inside the network. Same server reachable via two public IPs. As proven in this forum last week, by Russell Senior, you can do this EVEN if the internal server has a single IP. Until last week, I was convinced that two internal IPs were required. That is no longer so. See the thread which starts here: http://mailman.ds9a.nl/pipermail/lartc/2003q2/007952.html And the magic happens here: http://mailman.ds9a.nl/pipermail/lartc/2003q2/008090.html : diagram: : : inet | - isp1 -- eth0\ : | - LINUX ROUTER - eth2 - swith - "server host" : | - isp2 -- eth1/ : : # ip ro sh : 81.33.13.128 dev eth1 scope link src 81.33.13.174 : 80.25.88.192 dev eth0 scope link src 80.25.88.228 : 80.25.88.192/26 dev eth0 proto kernel scope link src 80.25.88.228 : 81.33.13.128/26 dev eth1 proto kernel scope link src 81.33.13.174 : 172.16.0.0/16 dev eth2 proto kernel scope link src 172.16.0.2 : default via 80.25.88.193 dev eth0 : : because eth0 is the default gw, i can forward incoming connections on : eth0 to the "server host". : : can anyone help me so i can forward conections happening on both : interfaces (eth0 & eth1, doesn''t matter who is the default gw) ? Another reasonable option is to assign an additional IP address to the internal server, and follow these instructions to configure the DNAT and routing for each IP: http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound Good luck, Diego, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
[ Diego; I figured others would be interested in this answer, so I am copying the list. ] : > See the thread which starts here: : > : > http://mailman.ds9a.nl/pipermail/lartc/2003q2/007952.html : > : > And the magic happens here: : > : > http://mailman.ds9a.nl/pipermail/lartc/2003q2/008090.html : : thanks a lot! maybe i can now see some light on this problem :) : : i was thinking in mark''ing the output packet on the host server (with : the same mark i''m using on the router box to route through the : non-default gw) if i understood correctly, this is what has been done : on the example below ... Not quite (if I understand your explanation). First and foremost, the fwmark is packet meta-data which does not survive once the packet leaves a router. The cleverness of the solution is to take advantage of the connection tracking mechanism (which keeps state), to set an fwmark on a packet as soon as the packet enters the machine. Now your stateless IP routing mechanism (FIB || RPDB + routing tables) makes a decision based on the packet and the meta-data (fwmark). : iptables -t mangle -I PREROUTING -m conntrack --ctstate DNAT \ : --ctorigdst eee.fff.ggg.11 -j MARK --set-mark 2 : : ip rule add fwmark 2 table T2 : : but yet i don''t understand why rp_filter should be turned off... rp_filter (reverse path filtering) described: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN616 rp_filter is a sysctl which tells your linux box to take some anti-spoofing measures. Naturally, this anti-spoofing technique works to your disadvantage if you wish to be able to reach a particular network (in this case 0/0) through multiple interfaces. So, if you don''t want the kernel happily throwing away packets arriving on unexpected interfaces, simply put a lightweight zero in rp_filter. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/