LARTC - Jul 2006 - routing ssh to secondary uplink

Hello,
I''m following this HOWTO
http://linux-ip.net/html/adv-multi-internet.html to route outgoing SSH
from a secondary ISP. I can see using tcpdump,jnettop,iftop that when
one of the computers located in my internal network is trying to SSH to
a box online using SSH, packets are routed via the secondary internet
ethernet card. However, packets don''t seem to know how to get back.
        
my script:
route add default gw 10.2.2.1
ip route add table 1 default via SECONDARYGW
iptables -t mangle -A PREROUTING -p tcp --dport 22 -s 192.168.1.0/24 -j
MARK --set-mark 1
iptables -t nat -A POSTROUTING -o eth1 -j  SNAT --to MYSECONDARYIP
iptables -t nat -A POSTROUTING -o $EXT_NIC -s 192.168.1.0/24 -j SNAT
--to MYPRIMARYIP
ip rule add fwmark 1 table 1
ip route flush cache
        
Sincerely,
-- 
devnull@plugthebox.net <devnull@plugthebox.net>

On Do, 2006-07-06 at 09:49 +0300, devnull@plugthebox.net
wrote:
> Hello,
> I''m following this HOWTO
> http://linux-ip.net/html/adv-multi-internet.html to route outgoing SSH
> from a secondary ISP. I can see using tcpdump,jnettop,iftop that when
> one of the computers located in my internal network is trying to SSH to
> a box online using SSH, packets are routed via the secondary internet
> ethernet card. However, packets don''t seem to know how to get
back.
I understand the two uplinks have different ethernet interfaces.
Did you disable rp_filter? Perhaps

echo 0 > /proc/sys/net/ipv4/conf/(interface for ssh)/rp_filter

would help. You can also use tcpdump on that interface to see if
the return packets arrive at your box, and on the inner interface
to see if they leave it.

Regards,
Torsten

Hello,
That worked. thanks =)

On Thu, 2006-07-06 at 12:30 +0200, Torsten Luettgert
wrote:
> On Do, 2006-07-06 at 09:49 +0300, devnull@plugthebox.net wrote:
> > Hello,
> > I''m following this HOWTO
> > http://linux-ip.net/html/adv-multi-internet.html to route outgoing SSH
> > from a secondary ISP. I can see using tcpdump,jnettop,iftop that when
> > one of the computers located in my internal network is trying to SSH
to
> > a box online using SSH, packets are routed via the secondary internet
> > ethernet card. However, packets don''t seem to know how to get
back.
> 
> I understand the two uplinks have different ethernet interfaces.
> Did you disable rp_filter? Perhaps
> 
> echo 0 > /proc/sys/net/ipv4/conf/(interface for ssh)/rp_filter
> 
> would help. You can also use tcpdump on that interface to see if
> the return packets arrive at your box, and on the inner interface
> to see if they leave it.
> 
> Regards,
> Torsten
> 
> 
-- 
devnull@plugthebox.net <devnull@plugthebox.net>