LARTC - May 2003 - Default route - Please Help

I''ve read the howto but i still can''t let thinghs go in the
right way

My box has 4 nic.
2 internet connection eth0,eth1
1 dmz eth2
1 lan eth3


I would like to nat the internal lan wih one of the 2 ISP.
For my tests i created a script to switch the entire lan from one to the
other (i know it''s redundand ....del...add.)

The problem is that NAT is done only if i set the default gateway (in the
main table)
I have set the 2 default gateways in the other 2 tables but it seems not to
consider them.

if i set default gateway to ISP1 and set nat rules to go with ISP2 it
doesn''t work!!!
Why???

my future plan are to let some client go with ISP1 and other with ISP2

Please Help!!!
Any hint apreciated!!
Here is my (long) config.
Bye

xchris




eth0      Link encap:Ethernet  HWaddr 00:04:76:25:07:D9
          inet addr:192.168.1.237  Bcast:192.168.1.255  Mask:255.255.255.0

eth1      Link encap:Ethernet  HWaddr 00:04:76:25:07:3D
          inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0

eth2      Link encap:Ethernet  HWaddr 00:04:76:25:07:67
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0

eth3      Link encap:Ethernet  HWaddr 00:04:76:25:07:73
          inet addr:192.168.0.238  Bcast:192.168.0.255  Mask:255.255.255.0

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0


Here is my script (just basic... to test routing.. there''s no firewall
at
all)
it''s done to act this way

script 1 -->all lan go with ISP 1
script 2 -->all lan go with ISP 2


echo 1 > /proc/sys/net/ipv4/ip_forward
route del default
IF3=eth3
IF1=eth0
IF2=eth1
IP1=192.168.1.237
IP2=192.168.3.1
IP3=192.168.0.238
GW1=192.168.1.238
GW2=192.168.3.254
P1_NET=192.168.1.0/24
P2_NET=192.168.3.0/24
P3_NET=192.168.0.0/24

echo "1 - Creating two additional routing tables"
echo
ip route del $P1_NET dev $IF1 src $IP1 table telecom
ip route add $P1_NET dev $IF1 src $IP1 table telecom
echo 1
ip route del default via $GW1 table telecom
ip route add default via $GW1 table telecom
echo 2
ip route del $P2_NET dev $IF2 src $IP2 table fastweb
ip route add $P2_NET dev $IF2 src $IP2 table fastweb
echo 3
ip route del default via $GW2 table fastweb
ip route add default via $GW2 table fastweb

echo "2 - Setting Main routing tables"
echo
ip route del $P1_NET dev $IF1 src $IP1
ip route del $P2_NET dev $IF2 src $IP2
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip route add default via $GW2


echo "3 - Setting answers from corresponing IPs"
echo
ip rule del from $IP1 table telecom
ip rule del from $IP2 table fastweb
ip rule add from $IP1 table telecom
ip rule add from $IP2 table fastweb

ip route add $P3_NET dev $IF3 table telecom
ip route add $P2_NET dev $IF2 table telecom
ip route add 127.0.0.0/8 dev lo table telecom

ip route add $P3_NET dev $IF3 table fastweb
ip route add $P1_NET dev $IF1 table fastweb
ip route add 127.0.0.0/8 dev lo table fastweb

if test $1 -eq 2
then
        iptables -t nat -F
        iptables -t nat -A POSTROUTING -s 192.168.0.0/24  -j
SNAT --to-source $IP2
else
        iptables -t nat -F
        iptables -t nat -A POSTROUTING -s 192.168.0.0/24  -j
SNAT --to-source $IP1
fi




my /etc/iproute2/rt_tables#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1      inr.ruhep
1       telecom
2       fastweb


ip rule

0:      from all lookup local
32764:  from 192.168.3.1 lookup fastweb
32765:  from 192.168.1.237 lookup telecom
32766:  from all lookup main
32767:  from all lookup default


ip route

192.168.3.0/24 dev eth1  scope link  src 192.168.3.1
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.1
192.168.1.0/24 dev eth0  scope link  src 192.168.1.237
192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.238
default via 192.168.3.254 dev eth1


ip route table telecom

192.168.3.0/24 dev eth1  scope link
192.168.1.0/24 dev eth0  scope link  src 192.168.1.237
192.168.0.0/24 dev eth3  scope link
127.0.0.0/8 dev lo  scope link
default via 192.168.1.238 dev eth0


ip route table fastweb

192.168.3.0/24 dev eth1  scope link  src 192.168.3.1
192.168.1.0/24 dev eth0  scope link
192.168.0.0/24 dev eth3  scope link
127.0.0.0/8 dev lo  scope link
default via 192.168.3.254 dev eth1











_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi list,

	I have exactly the same problem and I can''t manage with doing my
network
work.

	In fact, the NAT postrouting is done *after* the routing.
	Consequently, tables fastweb and telecom are never looked.

	I am very interesed by a solution.

My problem is described at this URL (still no answer):
	http://marc.theaimsgroup.com/?l=lartc&m=105049828901812&w=2
> -----Message d''origine-----
> De : lartc-admin@mailman.ds9a.nl [mailto:lartc-admin@mailman.ds9a.nl]De
> la part de xchris
> Envoyé : jeudi 1 mai 2003 17:33
> À : lartc@mailman.ds9a.nl
> Objet : [LARTC] Default route - Please Help
>
>
> I''ve read the howto but i still can''t let thinghs go in
the right way
>
> My box has 4 nic.
> 2 internet connection eth0,eth1
> 1 dmz eth2
> 1 lan eth3
>
>
> I would like to nat the internal lan wih one of the 2 ISP.
> For my tests i created a script to switch the entire lan from one to the
> other (i know it''s redundand ....del...add.)
>
> The problem is that NAT is done only if i set the default gateway (in the
> main table)
> I have set the 2 default gateways in the other 2 tables but it
> seems not to
> consider them.
>
> if i set default gateway to ISP1 and set nat rules to go with ISP2 it
> doesn''t work!!!
> Why???
>
> my future plan are to let some client go with ISP1 and other with ISP2
>
> Please Help!!!
> Any hint apreciated!!
> Here is my (long) config.
> Bye
>
> xchris
>
>
>
>
> eth0      Link encap:Ethernet  HWaddr 00:04:76:25:07:D9
>           inet addr:192.168.1.237  Bcast:192.168.1.255  Mask:255.255.255.0
>
> eth1      Link encap:Ethernet  HWaddr 00:04:76:25:07:3D
>           inet addr:192.168.3.1  Bcast:192.168.3.255  Mask:255.255.255.0
>
> eth2      Link encap:Ethernet  HWaddr 00:04:76:25:07:67
>           inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
>
> eth3      Link encap:Ethernet  HWaddr 00:04:76:25:07:73
>           inet addr:192.168.0.238  Bcast:192.168.0.255  Mask:255.255.255.0
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>
>
> Here is my script (just basic... to test routing.. there''s no
firewall at
> all)
> it''s done to act this way
>
> script 1 -->all lan go with ISP 1
> script 2 -->all lan go with ISP 2
>
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> route del default
> IF3=eth3
> IF1=eth0
> IF2=eth1
> IP1=192.168.1.237
> IP2=192.168.3.1
> IP3=192.168.0.238
> GW1=192.168.1.238
> GW2=192.168.3.254
> P1_NET=192.168.1.0/24
> P2_NET=192.168.3.0/24
> P3_NET=192.168.0.0/24
>
> echo "1 - Creating two additional routing tables"
> echo
> ip route del $P1_NET dev $IF1 src $IP1 table telecom
> ip route add $P1_NET dev $IF1 src $IP1 table telecom
> echo 1
> ip route del default via $GW1 table telecom
> ip route add default via $GW1 table telecom
> echo 2
> ip route del $P2_NET dev $IF2 src $IP2 table fastweb
> ip route add $P2_NET dev $IF2 src $IP2 table fastweb
> echo 3
> ip route del default via $GW2 table fastweb
> ip route add default via $GW2 table fastweb
>
> echo "2 - Setting Main routing tables"
> echo
> ip route del $P1_NET dev $IF1 src $IP1
> ip route del $P2_NET dev $IF2 src $IP2
> ip route add $P1_NET dev $IF1 src $IP1
> ip route add $P2_NET dev $IF2 src $IP2
> ip route add default via $GW2
>
>
> echo "3 - Setting answers from corresponing IPs"
> echo
> ip rule del from $IP1 table telecom
> ip rule del from $IP2 table fastweb
> ip rule add from $IP1 table telecom
> ip rule add from $IP2 table fastweb
>
> ip route add $P3_NET dev $IF3 table telecom
> ip route add $P2_NET dev $IF2 table telecom
> ip route add 127.0.0.0/8 dev lo table telecom
>
> ip route add $P3_NET dev $IF3 table fastweb
> ip route add $P1_NET dev $IF1 table fastweb
> ip route add 127.0.0.0/8 dev lo table fastweb
>
> if test $1 -eq 2
> then
>         iptables -t nat -F
>         iptables -t nat -A POSTROUTING -s 192.168.0.0/24  -j
> SNAT --to-source $IP2
> else
>         iptables -t nat -F
>         iptables -t nat -A POSTROUTING -s 192.168.0.0/24  -j
> SNAT --to-source $IP1
> fi
>
>
>
>
> my /etc/iproute2/rt_tables#
> # reserved values
> #
> 255     local
> 254     main
> 253     default
> 0       unspec
> #
> # local
> #
> #1      inr.ruhep
> 1       telecom
> 2       fastweb
>
>
> ip rule
>
> 0:      from all lookup local
> 32764:  from 192.168.3.1 lookup fastweb
> 32765:  from 192.168.1.237 lookup telecom
> 32766:  from all lookup main
> 32767:  from all lookup default
>
>
> ip route
>
> 192.168.3.0/24 dev eth1  scope link  src 192.168.3.1
> 192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.1
> 192.168.1.0/24 dev eth0  scope link  src 192.168.1.237
> 192.168.0.0/24 dev eth3  proto kernel  scope link  src 192.168.0.238
> default via 192.168.3.254 dev eth1
>
>
> ip route table telecom
>
> 192.168.3.0/24 dev eth1  scope link
> 192.168.1.0/24 dev eth0  scope link  src 192.168.1.237
> 192.168.0.0/24 dev eth3  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 192.168.1.238 dev eth0
>
>
> ip route table fastweb
>
> 192.168.3.0/24 dev eth1  scope link  src 192.168.3.1
> 192.168.1.0/24 dev eth0  scope link
> 192.168.0.0/24 dev eth3  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 192.168.3.254 dev eth1
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

On Friday 02 May 2003 11:36, Matthieu Turpault wrote:
> Hi list,
>
> 	I have exactly the same problem and I can''t manage with doing my
network
> work.
>
> 	In fact, the NAT postrouting is done *after* the routing.
> 	Consequently, tables fastweb and telecom are never looked.
>
> 	I am very interesed by a solution.
>
> My problem is described at this URL (still no answer):
> 	http://marc.theaimsgroup.com/?l=lartc&m=105049828901812&w=2
>
Here is my working solution (sorry for italian..)
I separeted routing and nat files.
In few words you have to 

1)ip rule with fmark!! 
2)mark packets with iptables -t mangle
3)SNAT

Hope this help.



routing:

TELECOM_IF=eth0
FASTWEB_IF=eth1
DMZ_IP=eth2
LAN_IF=eth3


TELECOM_IP=192.168.1.237
FASTWEB_IP=192.168.3.1
DMZ_IP=192.168.2.1
LAN_IP=192.168.0.238

TELECOM_NET=192.168.1.0/24
FASTWEB_NET=192.168.3.0/24
DMZ_NET=192.168.2.0/24
LAN_NET=192.168.0.0/24


GW_TELECOM=192.168.1.238
GW_FASTWEB=192.168.3.254

TELECOM_MARK=1
FASTWEB_MARK=2


echo "1 - Creating two additional routing tables"
echo
ip route del $TELECOM_NET dev $TELECOM_IF src $TELECOM_IP table telecom
ip route add $TELECOM_NET dev $TELECOM_IF src $TELECOM_IP table telecom

ip route del default via $GW_TELECOM table telecom
ip route add default via $GW_TELECOM table telecom

ip route del $FASTWEB_NET dev $FASTWEB_IF src $FASTWEB_IP table fastweb
ip route add $FASTWEB_NET dev $FASTWEB_IF src $FASTWEB_IP table fastweb

ip route del default via $GW_FASTWEB table fastweb
ip route add default via $GW_FASTWEB table fastweb

echo "2 - Setting Main routing tables"
echo
ip route del $TELECOM_NET dev $TELECOM_IF src $TELECOM_IP
ip route del $FASTWEB_NET dev $FASTWEB_IF src $FASTWEB_IP

ip route add $TELECOM_NET dev $TELECOM_IF src $TELECOM_IP
ip route add $FASTWEB_NET dev $FASTWEB_IF src $FASTWEB_IP

ip route add default via $GW_TELECOM


echo "3 - Setting answers from corresponing IPs"
echo
ip rule del from $TELECOM_IP table telecom
ip rule del from $FASTWEB_IP table fastweb

ip rule add from $TELECOM_IP table telecom
ip rule add from $FASTWEB_IP table fastweb

ip route add $LAN_NET dev $LAN_IF table telecom
ip route add $FASTWEB_NET dev $FASTWEB_IF table telecom
ip route add 127.0.0.0/8 dev lo table telecom

ip route add $LAN_NET dev $LAN_IF table fastweb
ip route add $TELECOM_NET dev $TELECOM_IF table fastweb
ip route add 127.0.0.0/8 dev lo table fastweb

ip rule del fwmark 2 table 2
ip rule del fwmark 1 table 1

ip rule add fwmark 2 table 2
ip rule add fwmark 1 table 1
ip route flush cache



here is nat file
TELECOM_IF=eth0
FASTWEB_IF=eth1
DMZ_IP=eth2
LAN_IF=eth3


TELECOM_IP=192.168.1.237
FASTWEB_IP=192.168.3.1
DMZ_IP=192.168.2.1
LAN_IP=192.168.0.238

TELECOM_NET=192.168.1.0/24
FASTWEB_NET=192.168.3.0/24
DMZ_NET=192.168.2.0/24
LAN_NET=192.168.0.0/24


GW_TELECOM=192.168.1.238
GW_FASTWEB=192.168.3.254

TELECOM_MARK=1
FASTWEB_MARK=2


###############################################################################
## Funzione ausiliaria che marka e imposta nat

imposta_nat()
{
if test $2 = $TELECOM_IP
then
        local MARK=$TELECOM_MARK
else
        local MARK=$FASTWEB_MARK
fi

iptables -t mangle -A PREROUTING -s $3$1 -j MARK --set-mark $MARK
iptables -t nat -A POSTROUTING -s $3$1  -j SNAT --to-source $2

}
################################################################################








################### Facciamo Pulizia ########################################
### Lascio il DNAT di Shorewall
#############################################################################

iptables -t nat -F POSTROUTING
iptables -t mangle -F

##############################################################################
### Maschero la Dmz con Fastweb altrimenti non risputa i pacchetti
### Potrebbe sputarli verso telecom

imposta_nat $DMZ_NET $FASTWEB_IP
###############################################################################
### Maschero la lan con Telecom

imposta_nat $LAN_NET $TELECOM_IP
###############################################################################



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/