Ho I forget important information:
I use a Debian stable with iptables v1.2.11 (from deb package) and a kernel
2.6.14.2 (recompiled)
I just try another approach, without success. I try to use the conntrack but
it seems not working too.
-A PREROUTING -m conntrack --ctorigdst 193.253.54.64 -j MARK --set-mark 0x1
-A PREROUTING -m conntrack --ctorigdst 213.41.177.180 -j MARK --set-mark 0x2
Idem with CONNMARK (corrected in the right order)
-A PREROUTING -j CONNMARK --restore-mark
-A PREROUTING -m mark ! --mark 0x0 -j ACCEPT
-A PREROUTING -i ppp0 -j CONNMARK --set-mark 0x1
-A PREROUTING -i ppp1 -j CONNMARK --set-mark 0x2
-A PREROUTING -j CONNMARK --save-mark
These 2 samples don''t match my outgoing DNATed packets.
I have made test with tcpdmp on my 2 ppp interfaces.
Each time, the outgoing packets get through the default gateway, like the
packets are not marked.
> -----Message d''origine-----
> De : lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl]
> De la part de Benoit DELAGARDE
> Envoyé : vendredi 25 novembre 2005 13:33
> À : lartc@mailman.ds9a.nl
> Objet : [LARTC] 2 WAN links and DNAT
>
> Hi
>
> Here is a short description of my network:
>
> ppp0 (adsl) ppp1 (adsl)
> | |
> | |
> ---------------------
> | Router |
> | Firewall |
> | MASQUERAD |
> | DNAT |
> | |
> | eth0 |
> ---------------------
> |
> |
> |
> ----------------------
> | |
> Local Web and Mail
> Network Server
>
>
> I forward all incoming connection for http and SMTP to my server by using
> a
> DNAT translation.
> But I encounter a problem: All answer are routed to my default gateway
> (ppp0)
> If the connections come from ppp0 no problem, but if the connections come
> from ppp1, the client never get answer.
> I have de-activated rp_filtering but it seems that one of my providers use
> this feature, and of course, this should be default gateway!
>
> So I''m looking for a way to route the packets to the right
interface.
> Google gave my some solutions but no ones are working.
>
>
> Here are my iptable
> # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
> *filter
> :INPUT DROP [2:184]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [3:188]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG
> -A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
> -A INPUT -d 255.255.255.255 -i br0 -j ACCEPT
> -A INPUT -s 192.168.1.0/255.255.255.0 -i br0 -j ACCEPT
> -A INPUT -d 224.0.0.0/240.0.0.0 -i br0 -p ! tcp -j ACCEPT
> -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j LOG
> -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j DROP
> -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j LOG
> -A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j DROP
> -A INPUT -d 255.255.255.255 -i ppp1 -j ACCEPT
> -A INPUT -d 255.255.255.255 -i ppp0 -j ACCEPT
> -A INPUT -d 213.41.177.180 -i ppp1 -j ACCEPT
> -A INPUT -d 193.253.54.64 -i ppp0 -j ACCEPT
> -A INPUT -j LOG
> -A INPUT -j DROP
> -A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
> 1400:1536 -j TCPMSS --clamp-mss-to-pmtu
> -A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 4662 -j ACCEPT
> -A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT
> -A FORWARD -d 192.168.1.100 -i ppp1 -p udp -m udp --dport 4672 -j ACCEPT
> -A FORWARD -d 192.168.1.100 -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT
> -A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 5500 -j ACCEPT
> -A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 5500 -j ACCEPT
> -A FORWARD -d 192.168.1.5 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT
> -A FORWARD -d 192.168.1.5 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT
> -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
> -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 80 -j ACCEPT
> -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
> -A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 25 -j ACCEPT
> -A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT
> -A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j
> ACCEPT
> -A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp1 -j ACCEPT
> -A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp0 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG
> -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP
> -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG
> -A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP
> -A FORWARD -j LOG
> -A FORWARD -j DROP
> -A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -d 255.255.255.255 -o br0 -j ACCEPT
> -A OUTPUT -d 192.168.1.0/255.255.255.0 -o br0 -j ACCEPT
> -A OUTPUT -d 224.0.0.0/240.0.0.0 -o br0 -p ! tcp -j ACCEPT
> -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG
> -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP
> -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG
> -A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP
> -A OUTPUT -d 255.255.255.255 -o ppp1 -j ACCEPT
> -A OUTPUT -d 255.255.255.255 -o ppp0 -j ACCEPT
> -A OUTPUT -s ipofppp1 -o ppp1 -j ACCEPT
> -A OUTPUT -s ipofppp0 -o ppp0 -j ACCEPT
> -A OUTPUT -j LOG
> -A OUTPUT -j DROP
> COMMIT
> # Completed on Fri Nov 25 12:21:59 2005
> # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
> *mangle
> :PREROUTING ACCEPT [13497:7096745]
> :INPUT ACCEPT [119515:10818662]
> :FORWARD ACCEPT [2263653:1380696494]
> :OUTPUT ACCEPT [3681:323141]
> :POSTROUTING ACCEPT [2445397:1397479483]
> -A PREROUTING -i ppp0 -m state --state NEW -j MARK --set-mark 0x1
> -A PREROUTING -i ppp1 -m state --state NEW -j MARK --set-mark 0x2
> -A PREROUTING -j CONNMARK --save-mark
> -A POSTROUTING -j CONNMARK --restore-mark
> COMMIT
> # Completed on Fri Nov 25 12:21:59 2005
> # Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
> *nat
> :PREROUTING ACCEPT [169:12721]
> :POSTROUTING ACCEPT [339:27714]
> :OUTPUT ACCEPT [279:22659]
> -A PREROUTING -i ppp1 -p tcp -m tcp --dport 4662 -j DNAT --to-destination
> 192.168.1.100:4662
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination
> 192.168.1.100:4662
> -A PREROUTING -i ppp1 -p udp -m udp --dport 4672 -j DNAT --to-destination
> 192.168.1.100:4672
> -A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to-destination
> 192.168.1.100:4672
> -A PREROUTING -i ppp1 -p tcp -m tcp --dport 5500 -j DNAT --to-destination
> 192.168.1.100:5500
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5500 -j DNAT --to-destination
> 192.168.1.100:5500
> -A PREROUTING -i ppp1 -p tcp -m tcp --dport 666 -j DNAT --to-destination
> 192.168.1.5:22
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 666 -j DNAT --to-destination
> 192.168.1.5:22
> -A PREROUTING -i ppp1 -p tcp -m tcp --dport 667 -j DNAT --to-destination
> 192.168.1.4:22
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 667 -j DNAT --to-destination
> 192.168.1.4:22
> -A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
> 192.168.1.4:80
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
> 192.168.1.4:80
> -A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination
> 192.168.1.4:25
> -A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
> 192.168.1.4:25
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE
> -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
> COMMIT
> # Completed on Fri Nov 25 12:21:59 2005
>
>
>
> And for my route table :
>
> ~> ip rule
> 0: from all lookup local
> 32764: from all fwmark 0x2 lookup nerim
> 32765: from all fwmark 0x1 lookup wanadoo
> 32766: from all lookup main
> 32767: from all lookup default
>
>
> ~> ip route list
> 80.10.246.1 dev ppp0 scope link
> 80.10.246.132 dev ppp0 scope link
> 62.4.16.245 dev ppp1 proto kernel scope link src 213.41.177.180
> 64.4.17.69 dev ppp1 scope link
> 64.4.16.70 dev ppp1 scope link
> 193.253.160.3 dev ppp0 proto kernel scope link src 193.253.54.64
> 192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
> default dev ppp1 scope link
>
> ~> ip route list table nerim
> 192.168.1.0 dev br0 scope link
> default dev ppp1 scope link
>
> ~> ip route list table wanadoo
> 192.168.1.0 dev br0 scope link
> default dev ppp0 scope link
>
>
>
> I believe this should work but no.
> tcpdump give me somthong like this :
>
> 12:35:04.073949 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0
> 12:35:04.074092 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0
> 12:35:07.072874 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0
> 12:35:07.072997 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0
>
> Witch mean that my packets are sent to the right server, but I never get
> an
> answer.
> All work when I delete the rule below
> 32764: from all fwmark 0x2 lookup nerim
> 32765: from all fwmark 0x1 lookup wanadoo
>
>
> My questions are:
> - Did I make a mistake somewhere, or did I misunderstand
> something(CERTAINLY)? Where?
> - What can I do to solve this problem?
>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc