Hi.
A few months ago I asked the list about source routing and got a nice
solution by Martin Brown. Thanks a lot for the help Martin Brown. Actually my
problem now is related to the one before and so i think it is useful to
rewrite it here:
Quoting Martin
- private (rfc1918) internal network with services published to the
world
- two public networks
- a single service (in the internal network) which should be reachable
on an IP in each public network
Solution:
The key to the general solution of this problem is to use separate pairs
of IPs for the entire path from the outside world to the internal network.
The internal service (e.g., webserver) must host two IP addresses. One IP
address can be reached via DNAT from public network 1 and the other IP
address can be reached via DNAT from the other network.
The detailed solution can be looked up here:
http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound
namely,
[root@masq-gw]#ip route add nat 67.17.28.10 via 192.168.100.10
[root@masq-gw]# ip rule add nat 67.17.28.10 from 192.168.100.10 table 4
[root@masq-gw]# ip route add nat 205.254.211.17 via 192.168.100.17
[root@masq-gw]# ip rule add nat 205.254.211.17 from 192.168.100.17
[root@masq-gw]# ip rule show
0: from all lookup local
32765: from 192.168.100.17 lookup main map-to 205.254.211.17
32765: from 192.168.100.10 lookup 4 map-to 67.17.28.10
32766: from all lookup main
32767: from all lookup 253
[root@masq-gw]# ip route show table local | grep ^nat
nat 205.254.211.17 via 192.168.100.17 scope host
nat 67.17.28.10 via 192.168.100.10 scope host
This solution above has a drawback. If i have to provide a different service
on a different computer in the internal network I can''t, since every
package
that reaches the linux router is being redirected to the same computer in the
internal network. Assume that besides the web service in
192.168.100.10-192.168.100.17 (IP alias used here) we want to to provide ssh
service on 192.168.100.20-192.168.100.21 and want to source routing both
services in the linux. I believe that to solve this i need to operate with
iptables and iproute together and DNAT the requests according to the port it is
addressed to. It seems that iproute by itself cannot do that. But to
accomplish this i thing that a solid knowledge of how the packages traverse the
kernel is necessary and that is what
I am not sure about. So I would really appreciate if anyone could help me write
the iptables and iproute rules for the example just mentioned. That would be a
great help.
Thanks a lot for your attention,
Aldrovando Araújo
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/