Hi guys, Can you take a look at this? :) +-----------+ | | eth1-|- | | -|-eth0---LAN--- | | eth2-|- | | | +-----------+ - eth0 is connected to the LAN having the IP=LAN_IP eth1 is connected to the first ISP having IP=ISP_IP_1 and GW=ISP_GW_1 eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2 I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2. That would be something like: $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1 $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2 This does not work since all the packets are forwarded to the default GW which is ISP_GW_1. How can I change this? As far as I remember, the routing decisions and policy are before the POSTROUTING chain in which the SNAT occurs... Please help! Mihai Vlad _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
I did this once upon a time, and have of course since lost the specific commands. But, as I recall, you mark the the packets you want to send out eth2, and then add a second route table with a second default GW for packets with the appropriate mark. Perhaps there is a more elegant solution out there. On Mon, 14 Feb 2005, Mihai Vlad wrote:> Hi guys, > > Can you take a look at this? :) > > > +-----------+ > | | > eth1-|- | > | -|-eth0---LAN--- > | | > eth2-|- | > | | > +-----------+ > - > > eth0 is connected to the LAN having the IP=LAN_IP > > eth1 is connected to the first ISP having IP=ISP_IP_1 and GW=ISP_GW_1 > eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2 > > I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2. > > That would be something like: > $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1 > $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2 > > > This does not work since all the packets are forwarded to the default GW > which is ISP_GW_1. > > How can I change this? > > As far as I remember, the routing decisions and policy are before the > POSTROUTING chain in which the SNAT occurs... > > Please help! > > Mihai Vlad > > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ >_______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Monday 14 February 2005 14:27, Mihai Vlad wrote:> Hi guys, > > Can you take a look at this? :) > > I need to selectively SNAT clients in the LAN to ISP_IP_1 or > ISP_IP_2. > > That would be something like: > $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source > $ISP_IP_1 > $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source > $ISP_IP_2 > > This does not work since all the packets are forwarded to the default > GW which is ISP_GW_1.I think you still need the patches and routing commands as described in the nano.txt file. You''d just plug in your customised SNAT rules in place of the load-balancing ones. I have a nano.txt''ed site with some special SNAT like this. I think some of my $ISP2_IP_2 (2nd and subsequent IP''s on ISP2) packets are going out over ISP1''s physical interface. I have not bothered to check because it''s working fine. :) -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
Hi! Mihai Vlad wrote:> Hi guys, > > Can you take a look at this? :) > > > +-----------+ > | | > eth1-|- | > | -|-eth0---LAN--- > | | > eth2-|- | > | | > +-----------+ > - > > eth0 is connected to the LAN having the IP=LAN_IP > > eth1 is connected to the first ISP having IP=ISP_IP_1 and GW=ISP_GW_1 > eth2 is connected to the second ISP having IP=ISP_IP_2 and GW=ISP_GW_2 > > I need to selectively SNAT clients in the LAN to ISP_IP_1 or ISP_IP_2. > > That would be something like: > $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1 > $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2 > > > This does not work since all the packets are forwarded to the default GW > which is ISP_GW_1. > > How can I change this? > > As far as I remember, the routing decisions and policy are before the > POSTROUTING chain in which the SNAT occurs...$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j SNAT --to-source $EXTERNAL_IP_ADDR $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE2 -j SNAT --to-source $EXTERNAL_IP_ADDR2 And add some rules based on client''s source ip address. (policy routing) http://www.linux.com/howtos/Adv-Routing-HOWTO/lartc.rpdb.simple.shtml -- Udv, Nandor _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
On Mon, Feb 14, 2005 at 02:47:18PM -0600, /dev/rob0 wrote:> > This does not work since all the packets are forwarded to the default > > GW which is ISP_GW_1. > I think you still need the patches and routing commands as described in > the nano.txt file. You''d just plug in your customised SNAT rules in > place of the load-balancing ones.Actually, you only need them if you want to loadbalance. If you don''t, you just play a little with policy based routing (which works with "normal" kernels too), like ip route add via $ISP_GW_1 src $ISP_IP_1 dev eth1 table 101 # technically, if you keep iptables the way you have, you can leav out "src # $ISP_1" ip route add via $ISP_GW_2 src $ISP_IP_2 dev eth2 table 102 ip rule add from 172.17.31.5 table 101 ip rule add from 172.17.31.7 table 102 (in reality you may need a couple more rules to avoid problems with communicating with other subnets if you have them, see LARTC HOWTO "loadbalacing multiple providers"). In order to avoid having duplicate ip lists, I suggest you use -j MASQUERADE (without -s) in iptables. In order to optimise for speed you could use sub-subnets or hashes (if you have like dozens of computers, it shouldn''t matter, but with hundreds or thousands it might be necessary). Bye, Peter Surda (Shurdeek) <shurdeek@routehat.org>, ICQ 10236103, +436505122023 -- NT, now approaching 23x6 availability. _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> This does not work since all the packets are forwarded to the default GW > which is ISP_GW_1.in routing tables, you must have two rules to route packets with different sources to different gateways first: ip rule add from 172.17.31.5 lookup 1 ip route add table 1 default via $GW=ISP_GW_1 ip rule add from 172.17.31.7 lookup 2 ip route add table 2 default via $GW=ISP_GW_2 then $IPTABLES -t nat -A POSTROUTING -s 172.17.31.5 -j SNAT --to-source $ISP_IP_1 $IPTABLES -t nat -A POSTROUTING -s 172.17.31.7 -j SNAT --to-source $ISP_IP_2> As far as I remember, the routing decisions and policy are before the > POSTROUTING chain in which the SNAT occurs...Kernel Packet Traveling Diagram http://www.docum.org/docum.org/kptd/ might be helpful for you in case you want load balacing your internet connections, you can consult http://selab.edu.ms/twiki/bin/view/Networking/MultihomedLinuxNetworking _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
hi, I have a lan with internet conection, the gateway is a server linux. I have a client (192.168.0.33) that i want limit his upload rate to 64kbit/s so I do: tc qdisc del dev ppp0 root tc qdisc add dev ppp0 root handle 1: htb r2q 1 tc class add dev ppp0 parent 1: classid 1:2 htb rate 64kbit ceil 64kbit burst 6k tc filter add dev ppp0 parent 1: protocol ip prio 1 handle 0x1 fw classid 1:2 iptables -t mangle -A PREROUTING -s 192.168.0.33 -j MARK --set-mark 0x1 iptables -t mangle -A PREROUTING -s 192.168.0.33 -j RETURN but this do not work, any sugestions? thanks.