On 1/30/07, Peter Huetmannsberger <huetmann@site38.ping.at>
wrote:>
> Hello,
>
> I came across a problem today, which after trying a number of approaches I
> could not solve, and I am hoping someone out there knows how to deal with
> this.
>
> Situation:
>
> 2 different internet connections on eth2 and eth3
>
> Traffic coming in on eth2 goes out on eth2 and traffic coming in on eth3
> goes out on eth3 (because of rt_tables, and routes, which works fine)
> unless I do a DNAT to a different machine.
>
> i.e.
>
> default route is eth3
>
> traffic comes in eth2 --> DNAT --> eth1
> machine behind eth1 answers correctly, but the resulting packets choose
> the default route (eth3) to go out and not the way they came in.
>
> or in ipaddress description:
>
> default route is 81.223.13.xx1
>
> eth3 = 81.223.13.xx2
> eth2 = 91.112.38.xx8
>
> Packets coming in via 91.112.38.xx8 for port 80 get DNATed to
> 192.168.10.199:80
> on returining from 192.168.10.199 they choose the default route
> 81.223.13.xx2 on their way out.
>
> Without the DNAT the setup works fine, with the DNAT they don''t.
>
> I am grateful for any suggestions.
I am very new to this, but last week i have to deal with the same and
i came to a "solution" (but i don''t know if there are better
ways to
do this)
Bah, actually two solutions: one is
http://linux-ip.net/html/linux-ip.html#adv-multi-internet, which
basically proposes adding an other address to the server you want to
dnat to, so for one public ip dnat to one internal ip of the server,
and for the other public ip dnat to the other internal ip of the
server. So, using ip rule (and using "from")you can route answers to
the correct route
The other (i found) is using conntrack, the rule which makes the trick is:
iptables -t mangle -A PREROUTING -m conntrack --ctstate DNAT
--ctorigdst $ISP2_NET -j MARK --set-mark 10
and then: ip rule add prio <prio> fwmark 10 table isp2.table (put it
with lower prio than the main table, or less prio than the table where
packets are routed by default)
So, adding this for the isp that DNAT is not working should be enough
(where $ISP_NET is the public ip you are dnatting or the net you are
doing DNAT (both are ok) ), but adding this to both ISPs should work
too
And almos for "free" with this cames: iptables -t mangle -A PREROUTING
-m conntrack --ctstate SNAT --ctrepldst $ISP2_NET -j MARK --set-mark
10 which makes SNAT to behave as expected with 2 (or more) ISPs
>
> Thanks
You are welcome, i hope it helps :-). And please tell me if you do
this different>
> .peter
Rodrigo