One thing you might do if you use DNS, is to create views for hosts on the lan
have
a VIEW for them so they will resolve the internal IP.
Looks like you should specify with your natting what interface the traffic is
outbound on with -o eth1 or eth0 so that when it leaves eth2 it won''t
source nat
Alexander W. Janssen (alexander.janssen@gmx.de) wrote:>
>Hi all,
>
>i got the following configuration:
>* NET1: DSL Line with /28 network, let''s call it 10.1.0.0/28
>* NET2: DSL Line with /28 network, let''s call it 10.2.0.0/28
>* INTNET: Internal Network with productive servers and workstations,
>192.168.1.0/24
>Obvisiously the 10er networks are official networks but censored to
>protect my customer.
>The routerbox assigns on eth0 all IP-addresses from NET1, same for eth1
>and NET2. The internal net is on eth2.
>I''ve set up split-access routing like in the documentation, part
"4.2.1.
>Split access". Every productive server get''s his own
routingtable and it''s
>own SNAT/DNAT rule. Example is given for one server.
># Server 1, external 10.1.0.3, internal 192.168.1.2, table server1,
># default-gateway is 10.1.0.1 (DSL router)
>ip route add $NET1 dev eth0 src 10.1.0.1 table server1
>ip route add $INTNET dev eth2 table server1
>ip route add default via 10.1.0.1 table server1
>ip rule add from 192.168.1.2 table server1
># Now NAT0.1.0.3 -
>iptables -t nat -A PREROUTING -d 10.1.0.3j DNAT --to 192.168.1.2
>iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --from 10.1.0.3
>
>I do this for all server on alternating IP-adresses and lines.
>
>Eventually at the very end of the POSTROUTING-chain i got a catch-all SNAT
>for all workstations in INTNET to get SNATed access to the internet (only
>routed via one line):
>iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --from 10.1.0.1
>(where 10.1.0.1 is a designated IP address only used for the workstations
>- the server all got their own IP-address.
>Works so far.
>
>Now my problem: If a workstation from the internal network, let''s
say,
>wants to connect to the offical IP-address of one of the servers, it
>doesn''t work.
>Let''s say 192.168.1.212 wants to connect to 10.1.0.3. It goes
through it''s
>default gateway 192.168.1.1, which is the only IP address assigned on
>eth2, the internal interface. It hits the PREROUTING chain and gets DNATed
>to 192.168.1.2. It hits routing code and is matched against "$INTNET
dev
>eth2" in table server1. It hits POSTROUTING and gets SNATed with
10.1.0.1,
>the external, designated IP-address fo the router for the clients. It
>should be pushed out on the internal interface.
>The server receives the packet, processes it and sends back the answer to
>the router. The packet hits PREROUTING (from 192.168.1.2 to 10.1.0.1, no
>rule matches), hits routing-code and there is the problem i think.
>Destined for local interface, don''t route. BANG.
>Is my observation at that point right? If yes, does somebody know how to
>achieve my goal, that internal IPs can connect to the external IPs? The
>term "CONNMARK" somehow popped up in my mind, but i
haven''t seen any
>useful examples yet how to use it properly.
>I hope i provided all necessary information; i know that "ip rule
show" is
>missing to check the precedences of rules, but i don''t have access
to the
>system right now.
>Any hint is appreciated,
>thanks,
>Alex.
>
>
>_______________________________________________
>LARTC mailing list / LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
--
When dealing with a slow pipe, never underestimate the throughput of the postal
system.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/