Hi, Below is my Linux firewall network configuration: - eth0 - isp 1, IP: 1.1.1.10, Netmask: 255.255.255.252 eth1 - isp 2, IP: 2.2.2.10, Netmask: 255.255.255.252 eth2 - lan, IP: 172.16.0.254, Netmask: 255.255.255.0 eth3 - dmz, 192.168.0.254, Netmask: 255.255.255.0 isp 1 gateway: 1.1.1.9 isp 2 gateway: 2.2.2.9 Below is my iptables rules: - echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination 172.16.0.1 iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination 192.168.0.1 iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to-source 1.1.1.10 iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 2.2.2.10 Below is my split access routing for multiple providers: - # First ISP ip route add 1.1.1.8/30 dev eth0 src 1.1.1.10 table 1 ip route add default via 1.1.1.9 table 1 # Second ISP ip route add 2.2.2.8/30 dev eth1 src 2.2.2.10 table 2 ip route add default via 2.2.2.9 table 2 # ip rule add from 1.1.1.8/30 lookup 1 ip rule add from 2.2.2.8/30 lookup 2 # My default choice of gateway ip route add default via 1.1.1.9 # ip route add 2.2.2.8/30 dev eth1 table 1 ip route add 172.16.0.0/24 dev eth2 table 1 ip route add 192.168.0.0/24 dev eth3 table 1 ip route add 127.0.0.0/8 dev lo table 1 # ip route add 1.1.1.8/30 dev eth0 table 2 ip route add 172.16.0.0/24 dev eth2 table 2 ip route add 192.168.0.0/24 dev eth3 table 2 ip route add 127.0.0.0/8 dev lo table 2 When I perform a traceroute from a workstation with the IP address of 192.168.0.1 and gateway 192.168.0.254, I can see the result of the traceroute going through the 1.1.1.9 gateway, why? It suppose to SNAT to 2.2.2.10 via 2.2.2.9 gateway. Regards, ro0ot _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, 15 Nov 2004, ro0ot wrote:> Hi, > > Below is my Linux firewall network configuration: - > > eth0 - isp 1, IP: 1.1.1.10, Netmask: 255.255.255.252 > eth1 - isp 2, IP: 2.2.2.10, Netmask: 255.255.255.252 > eth2 - lan, IP: 172.16.0.254, Netmask: 255.255.255.0 > eth3 - dmz, 192.168.0.254, Netmask: 255.255.255.0 > > isp 1 gateway: 1.1.1.9 > isp 2 gateway: 2.2.2.9 > > > Below is my iptables rules: - > > echo 1 > /proc/sys/net/ipv4/ip_forward > > iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination 172.16.0.1 > iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination 192.168.0.1 > > iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to-source 1.1.1.10 > iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 2.2.2.10POSTROUTING (as the name says it) happens after all routing discussions are made, just before the paket reaches the line. So you need some more ip rules to push the pakets on the right way.> When I perform a traceroute from a workstation with the IP address of > 192.168.0.1 and gateway 192.168.0.254, I can see the result of the traceroute > going through the 1.1.1.9 gateway, why? It suppose to SNAT to 2.2.2.10 via > 2.2.2.9 gateway.greets, Tami _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi Tami, I added the following and it helps... ip rule add nat 1.1.1.10 from 172.16.0.1 table 1 ip rule add nat 2.2.2.10 from 192.168.0.1 table 2 Is the above two lines correct? Regards, ro0ot Paul Zirnik wrote:>On Mon, 15 Nov 2004, ro0ot wrote: > > > >>Hi, >> >>Below is my Linux firewall network configuration: - >> >>eth0 - isp 1, IP: 1.1.1.10, Netmask: 255.255.255.252 >>eth1 - isp 2, IP: 2.2.2.10, Netmask: 255.255.255.252 >>eth2 - lan, IP: 172.16.0.254, Netmask: 255.255.255.0 >>eth3 - dmz, 192.168.0.254, Netmask: 255.255.255.0 >> >>isp 1 gateway: 1.1.1.9 >>isp 2 gateway: 2.2.2.9 >> >> >>Below is my iptables rules: - >> >>echo 1 > /proc/sys/net/ipv4/ip_forward >> >>iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination 172.16.0.1 >>iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination 192.168.0.1 >> >>iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to-source 1.1.1.10 >>iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 2.2.2.10 >> >> > >POSTROUTING (as the name says it) happens after all routing discussions >are made, just before the paket reaches the line. >So you need some more ip rules to push the pakets on the right way. > > > >>When I perform a traceroute from a workstation with the IP address of >>192.168.0.1 and gateway 192.168.0.254, I can see the result of the traceroute >>going through the 1.1.1.9 gateway, why? It suppose to SNAT to 2.2.2.10 via >>2.2.2.9 gateway. >> >> > >greets, > Tami >_______________________________________________ >LARTC mailing list / LARTC@mailman.ds9a.nl >http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > > >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi ro0ot, You may be running into the same problem that I was dealing with this weekend. I tried to follow the LARTC FAQ on multiple internet connections (in my case two ADSL connections) and I found that the information got me most of the way but not the whole way. Specifically, the thing that I discovered was that in a situation like ours, the routing rules need to apply to the *internal* IP addresses, not the public ones. I know this seems bizarre since the actual routing tables references the public IPs, but apparently the routing rule is triggered *before* the preroute. So given what worked for me, I''d suggest changing from this: ip rule add from 1.1.1.8/30 lookup 1 ip rule add from 2.2.2.8/30 lookup 2 to this: ip rule add from 172.16.0.0/24 lookup 1 ip rule add from 192.168.0.0/24 lookup 2 Maybe the LARTC FAQ on this subject needs to be updated a little bit. Chris ----- Original Message ----- From: "ro0ot" <ro0ot@phreaker.net> To: "LARTC" <lartc@mailman.ds9a.nl> Sent: Sunday, November 14, 2004 7:23 PM Subject: [LARTC] source policy routing going to wrong path> Hi, > > Below is my Linux firewall network configuration: - > > eth0 - isp 1, IP: 1.1.1.10, Netmask: 255.255.255.252 > eth1 - isp 2, IP: 2.2.2.10, Netmask: 255.255.255.252 > eth2 - lan, IP: 172.16.0.254, Netmask: 255.255.255.0 > eth3 - dmz, 192.168.0.254, Netmask: 255.255.255.0 > > isp 1 gateway: 1.1.1.9 > isp 2 gateway: 2.2.2.9 > > > Below is my iptables rules: - > > echo 1 > /proc/sys/net/ipv4/ip_forward > > iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination > 172.16.0.1 > iptables -t nat -A PREROUTING -d 2.2.2.10 -j DNAT --to-destination > 192.168.0.1 > > iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to-source 1.1.1.10 > iptables -t nat -A POSTROUTING -s 192.168.0.1 -j SNAT --to-source 2.2.2.10 > > > Below is my split access routing for multiple providers: - > > # First ISP > ip route add 1.1.1.8/30 dev eth0 src 1.1.1.10 table 1 > ip route add default via 1.1.1.9 table 1 > > # Second ISP > ip route add 2.2.2.8/30 dev eth1 src 2.2.2.10 table 2 > ip route add default via 2.2.2.9 table 2 > > # > ip rule add from 1.1.1.8/30 lookup 1 > ip rule add from 2.2.2.8/30 lookup 2 > > # My default choice of gateway > ip route add default via 1.1.1.9 > > # > ip route add 2.2.2.8/30 dev eth1 table 1 > ip route add 172.16.0.0/24 dev eth2 table 1 > ip route add 192.168.0.0/24 dev eth3 table 1 > ip route add 127.0.0.0/8 dev lo table 1 > > # > ip route add 1.1.1.8/30 dev eth0 table 2 > ip route add 172.16.0.0/24 dev eth2 table 2 > ip route add 192.168.0.0/24 dev eth3 table 2 > ip route add 127.0.0.0/8 dev lo table 2 > > When I perform a traceroute from a workstation with the IP address of > 192.168.0.1 and gateway 192.168.0.254, I can see the result of the > traceroute going through the 1.1.1.9 gateway, why? It suppose to SNAT to > 2.2.2.10 via 2.2.2.9 gateway. > > Regards, > ro0ot > > > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/