LARTC - Mar 2007 - DNAT and Load Balancing

Hi all!


    After that good thread "DGD patch not detecting dead gateway" I
was
able to set up a Load Balancing with ping based DGD (without Julian 
Anastasov patch). But now I''m facing a new problem and tried some 
options, with only partial solutions.

    I made a script based on 
http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank 
you Manish Kathuria), without Julian A. patch, and with routes/rules as 
described in nano.txt. It works fine, but...

    The problem: I do DNAT for internet located people to access my LAN 
machines (VNC, RDP, etc...). It sometimes works, sometimes don''t work. 
It appears that the connection from outside can enter, but when reply 
packets try to get back across nat machine, it falls into the round 
robin default route selection to define its gateway. Well, of course, 
this reply must leave the router via the same interface whose initial 
packets entered.


    vnc initial
request packet      reply that got
            \                   wrong route
             \                       ^
              \                     /
              V                  /
              isp1 isp2 isp3
               _|____|____|__
              |                    |
              |      dnat      |
              |_____________|
                        ^
                         |
                         |
                        V
              LAN estation, the
                  vnc server



    What I need is a way to force packets leave the router via the same 
interface whose its request entered this.
    I''d like to hear opinions about the problem (and also solution =). 
Remember, I can''t apply the DGD patch from J.A. because it only checks 
the first hop for dead detection.
    I will apreciate any help.

    Thank you,



    Tom Lobato

On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
>
>
>     Hi all!
>
>
>     After that good thread "DGD patch not detecting dead gateway"
I was
> able to set up a Load Balancing with ping based DGD (without Julian
> Anastasov patch). But now I''m facing a new problem and tried some
> options, with only partial solutions.
>
>     I made a script based on
> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
> you Manish Kathuria), without Julian A. patch, and with routes/rules as
> described in nano.txt. It works fine, but...
>
>     The problem: I do DNAT for internet located people to access my LAN
> machines (VNC, RDP, etc...). It sometimes works, sometimes don''t
work.
> It appears that the connection from outside can enter, but when reply
> packets try to get back across nat machine, it falls into the round
> robin default route selection to define its gateway. Well, of course,
> this reply must leave the router via the same interface whose initial
> packets entered.
>
>
>     vnc initial
> request packet      reply that got
>             \                   wrong route
>              \                       ^
>               \                     /
>               V                  /
>               isp1 isp2 isp3
>                _|____|____|__
>               |                    |
>               |      dnat      |
>               |_____________|
>                         ^
>                          |
>                          |
>                         V
>               LAN estation, the
>                   vnc server
>
>
>
>     What I need is a way to force packets leave the router via the same
> interface whose its request entered this.
>     I''d like to hear opinions about the problem (and also solution
=).
> Remember, I can''t apply the DGD patch from J.A. because it only
checks
> the first hop for dead detection.
>     I will apreciate any help.
>
>     Thank you,
>
>
>
>     Tom Lobato
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
I had overlooked this. I had also faced a similar problem.  There are
two possible solutions, one is to apply Julian''s patches because even
though you are not using the patches for DGD, they do help in making
NAT processing with multiple gateways work properly. The other option
is to mark the packets using CONNTRACK. There was a good discussion on
this topic some days back. You can check the thread using the
following links to the archives:

http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html

-- 
Manish Kathuria
Tux Technologies
http://www.tuxtechnologies.co.in/

In the file "comandos.log" you can see how I implement the "load
balancing".

The explanation is:
   1) Add more filters to routing decisions that depending on fwmark value
of packets use one or another link to send the packet.
   2) In PREROUTING mark the connection to know the "incoming" iface
and
keep that into conntrack table.
   3) In POSTROUTING the same, to allow outgoing packages select the same
interface.

In my configuration wan0 is a bridge (without STP) that links all the WAN
interfaces and I make aliases for all, that is why you can see the
"physdev" match used, but if you don''t use a bridge, you can
replace the
wan0 and bridge selection by only your wan ifaces.

With this configuration, I expect these:
   1) Allow UPnP work fine (appears to be working for now).
   2) Allow the correct incoming DNAT work fine.
   3) Allow the correct outgoing conections tracks fine.
   4) Allow only 1 iptables rules if I need DNAT to one machine from any
wan iface (very usefull for p2p programs).

You can see, too, that I use masks with marks, that is because I use
another marks to allow traffic control (with other marks).

I''m testing this configuration for two days now, and appears to be
working
fine.

Last note: This file is not my real script, my real script parse one
config file where I define all my wan ifaces, my real script generates
this files to allow me debug the command execution results, order, output,
etc...

Regards

El Vie, 2 de Marzo de 2007, 2:52, Manish Kathuria
escribió:
> On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
>>
>>
>>     Hi all!
>>
>>
>>     After that good thread "DGD patch not detecting dead
gateway" I was
>> able to set up a Load Balancing with ping based DGD (without Julian
>> Anastasov patch). But now I''m facing a new problem and tried
some
>> options, with only partial solutions.
>>
>>     I made a script based on
>> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
>> you Manish Kathuria), without Julian A. patch, and with routes/rules as
>> described in nano.txt. It works fine, but...
>>
>>     The problem: I do DNAT for internet located people to access my LAN
>> machines (VNC, RDP, etc...). It sometimes works, sometimes
don''t work.
>> It appears that the connection from outside can enter, but when reply
>> packets try to get back across nat machine, it falls into the round
>> robin default route selection to define its gateway. Well, of course,
>> this reply must leave the router via the same interface whose initial
>> packets entered.
>>
>>
>>     vnc initial
>> request packet      reply that got
>>             \                   wrong route
>>              \                       ^
>>               \                     /
>>               V                  /
>>               isp1 isp2 isp3
>>                _|____|____|__
>>               |                    |
>>               |      dnat      |
>>               |_____________|
>>                         ^
>>                          |
>>                          |
>>                         V
>>               LAN estation, the
>>                   vnc server
>>
>>
>>
>>     What I need is a way to force packets leave the router via the same
>> interface whose its request entered this.
>>     I''d like to hear opinions about the problem (and also
solution =).
>> Remember, I can''t apply the DGD patch from J.A. because it
only checks
>> the first hop for dead detection.
>>     I will apreciate any help.
>>
>>     Thank you,
>>
>>
>>
>>     Tom Lobato
>>
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
> I had overlooked this. I had also faced a similar problem.  There are
> two possible solutions, one is to apply Julian''s patches because
even
> though you are not using the patches for DGD, they do help in making
> NAT processing with multiple gateways work properly. The other option
> is to mark the packets using CONNTRACK. There was a good discussion on
> this topic some days back. You can check the thread using the
> following links to the archives:
>
> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
>
> --
> Manish Kathuria
> Tux Technologies
> http://www.tuxtechnologies.co.in/
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

Hi! Thank you!

The mail arrived to me without attached file. Can you send again, please?



Tom Lobato

ArcosCom Linux User escreveu:
> Last note: This file is not my real script, my real script parse one
> config file where I define all my wan ifaces, my real script generates
> this files to allow me debug the command execution results, order, output,
> etc...
>   

Fine. I''m using something like this (set of conf/scripts files). Mainly
for get dynamic IPs (dhcp, pppoe) and set all routes/rules.
Soon I''ll make my script set available, so we could to learn each
other.




Tom Lobato

Sorry, appears that lists manager cut off the attached file.

Here is the comands:

===BEGIN==/sbin/ip rule del prio 50 table main
/sbin/ip rule del prio 100 fwmark 0x8000/0xf000 table 150
/sbin/ip rule del prio 150 from a1.b1.c1.d1/26 table 150
/sbin/ip rule del prio 101 fwmark 0x4000/0xf000 table 151
/sbin/ip rule del prio 151 from a2.b2.c2.d2/24 table 151
/sbin/ip rule del prio 200 table 200
/sbin/ip route flush table 150
/sbin/ip route flush table 151
/sbin/ip route flush table 200
/sbin/iptables -t mangle -D PREROUTING -j MARCAR_IFACE
/sbin/iptables -t mangle -F MARCAR_IFACE
/sbin/iptables -t mangle -X MARCAR_IFACE
/sbin/iptables -t mangle -F MARCAR_IFACE_TRAFICO
/sbin/iptables -t mangle -X MARCAR_IFACE_TRAFICO
/sbin/iptables -t mangle -D POSTROUTING -j MARCAR_IFACE_OUT
/sbin/iptables -t mangle -F MARCAR_IFACE_OUT
/sbin/iptables -t mangle -X MARCAR_IFACE_OUT
/sbin/iptables -t mangle -N MARCAR_IFACE
/sbin/iptables -t mangle -N MARCAR_IFACE_TRAFICO
/sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --restore-mark
/sbin/iptables -t mangle -A MARCAR_IFACE -m mark ! --mark 0x0000/0xf000 -j
RETURN
/sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -j
MARCAR_IFACE_TRAFICO
/sbin/iptables -t mangle -N MARCAR_IFACE_OUT
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --restore-mark
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark ! --mark
0x0000/0xf000 -j RETURN
/sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i
wan0 -m physdev --physdev-in eth1 -m state --state NEW -j MARK --or-mark
0x8000
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000
-o wan0 -m physdev --physdev-out eth1 -m state --state NEW -j MARK
--or-mark 0x8000
/sbin/iptables -t mangle -A MARCAR_IFACE -m mark --mark 0x0000/0xf000 -i
wan0 -m physdev --physdev-in eth3 -m state --state NEW -j MARK --or-mark
0x4000
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -m mark --mark 0x0000/0xf000
-o wan0 -m physdev --physdev-out eth3 -m state --state NEW -j MARK
--or-mark 0x4000
/sbin/iptables -t mangle -A MARCAR_IFACE -j CONNMARK --save-mark
/sbin/iptables -t mangle -A MARCAR_IFACE -j RETURN
/sbin/iptables -t mangle -I PREROUTING -j MARCAR_IFACE
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j CONNMARK --save-mark
/sbin/iptables -t mangle -A MARCAR_IFACE_OUT -j RETURN
/sbin/iptables -t mangle -I POSTROUTING -j MARCAR_IFACE_OUT
/sbin/ip rule add prio 50 table main
/sbin/ip rule add prio 100 fwmark 0x8000/0xf000 table 150
/sbin/ip rule add prio 150 from a1.b1.c1.d1/26 table 150
/sbin/ip route add default via ga1.gb1.gc1.gd1 dev wan0 src a1.b1.c1.d1
proto static table 150
/sbin/ip route append prohibit default table 150 metric 1 proto static
/sbin/ip rule add prio 101 fwmark 0x4000/0xf000 table 151
/sbin/ip rule add prio 151 from a2.b2.c2.d2/24 table 151
/sbin/ip route add default via ga2.gb2.gc2.gd2 dev wan0 src a2.b2.c2.d2
proto static table 151
/sbin/ip route append prohibit default table 151 metric 1 proto static
/sbin/ip rule add prio 200 table 200
/sbin/ip route add default table 200 proto static nexthop via
ga1.gb1.gc1.gd1 dev wan0 weight 1 nexthop via ga2.gb2.gc2.gd2 dev wan0
weight 1
/sbin/ip route flush cache
===END==
Regards

El Vie, 2 de Marzo de 2007, 9:43, ArcosCom Linux User
escribió:
> In the file "comandos.log" you can see how I implement the
"load
> balancing".
>
> The explanation is:
>    1) Add more filters to routing decisions that depending on fwmark value
> of packets use one or another link to send the packet.
>    2) In PREROUTING mark the connection to know the "incoming"
iface and
> keep that into conntrack table.
>    3) In POSTROUTING the same, to allow outgoing packages select the same
> interface.
>
> In my configuration wan0 is a bridge (without STP) that links all the WAN
> interfaces and I make aliases for all, that is why you can see the
> "physdev" match used, but if you don''t use a bridge, you
can replace the
> wan0 and bridge selection by only your wan ifaces.
>
> With this configuration, I expect these:
>    1) Allow UPnP work fine (appears to be working for now).
>    2) Allow the correct incoming DNAT work fine.
>    3) Allow the correct outgoing conections tracks fine.
>    4) Allow only 1 iptables rules if I need DNAT to one machine from any
> wan iface (very usefull for p2p programs).
>
> You can see, too, that I use masks with marks, that is because I use
> another marks to allow traffic control (with other marks).
>
> I''m testing this configuration for two days now, and appears to be
working
> fine.
>
> Last note: This file is not my real script, my real script parse one
> config file where I define all my wan ifaces, my real script generates
> this files to allow me debug the command execution results, order, output,
> etc...
>
> Regards
>
> El Vie, 2 de Marzo de 2007, 2:52, Manish Kathuria escribió:
>> On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
>>>
>>>
>>>     Hi all!
>>>
>>>
>>>     After that good thread "DGD patch not detecting dead
gateway" I was
>>> able to set up a Load Balancing with ping based DGD (without Julian
>>> Anastasov patch). But now I''m facing a new problem and
tried some
>>> options, with only partial solutions.
>>>
>>>     I made a script based on
>>> http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html
(Thank
>>> you Manish Kathuria), without Julian A. patch, and with
routes/rules as
>>> described in nano.txt. It works fine, but...
>>>
>>>     The problem: I do DNAT for internet located people to access my
LAN
>>> machines (VNC, RDP, etc...). It sometimes works, sometimes
don''t work.
>>> It appears that the connection from outside can enter, but when
reply
>>> packets try to get back across nat machine, it falls into the round
>>> robin default route selection to define its gateway. Well, of
course,
>>> this reply must leave the router via the same interface whose
initial
>>> packets entered.
>>>
>>>
>>>     vnc initial
>>> request packet      reply that got
>>>             \                   wrong route
>>>              \                       ^
>>>               \                     /
>>>               V                  /
>>>               isp1 isp2 isp3
>>>                _|____|____|__
>>>               |                    |
>>>               |      dnat      |
>>>               |_____________|
>>>                         ^
>>>                          |
>>>                          |
>>>                         V
>>>               LAN estation, the
>>>                   vnc server
>>>
>>>
>>>
>>>     What I need is a way to force packets leave the router via the
same
>>> interface whose its request entered this.
>>>     I''d like to hear opinions about the problem (and also
solution =).
>>> Remember, I can''t apply the DGD patch from J.A. because it
only checks
>>> the first hop for dead detection.
>>>     I will apreciate any help.
>>>
>>>     Thank you,
>>>
>>>
>>>
>>>     Tom Lobato
>>>
>>>
>>> _______________________________________________
>>> LARTC mailing list
>>> LARTC@mailman.ds9a.nl
>>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>>
>>
>> I had overlooked this. I had also faced a similar problem.  There are
>> two possible solutions, one is to apply Julian''s patches
because even
>> though you are not using the patches for DGD, they do help in making
>> NAT processing with multiple gateways work properly. The other option
>> is to mark the packets using CONNTRACK. There was a good discussion on
>> this topic some days back. You can check the thread using the
>> following links to the archives:
>>
>> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
>> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
>>
>> --
>> Manish Kathuria
>> Tux Technologies
>> http://www.tuxtechnologies.co.in/
>> _______________________________________________
>> LARTC mailing list
>> LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>

On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria
wrote:
> On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
> >
> >
> >    Hi all!
> >
> >
> >    After that good thread "DGD patch not detecting dead
gateway" I was
> >able to set up a Load Balancing with ping based DGD (without Julian
> >Anastasov patch). But now I''m facing a new problem and tried
some
> >options, with only partial solutions.
> >
> >    I made a script based on
> >http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html (Thank
> >you Manish Kathuria), without Julian A. patch, and with routes/rules as
> >described in nano.txt. It works fine, but...
> >
> >    The problem: I do DNAT for internet located people to access my LAN
> >machines (VNC, RDP, etc...). It sometimes works, sometimes
don''t work.
> >It appears that the connection from outside can enter, but when reply
> >packets try to get back across nat machine, it falls into the round
> >robin default route selection to define its gateway. Well, of course,
> >this reply must leave the router via the same interface whose initial
> >packets entered.
> >
> >
> >    vnc initial
> >request packet      reply that got
> >            \                   wrong route
> >             \                       ^
> >              \                     /
> >              V                  /
> >              isp1 isp2 isp3
> >               _|____|____|__
> >              |                    |
> >              |      dnat      |
> >              |_____________|
> >                        ^
> >                         |
> >                         |
> >                        V
> >              LAN estation, the
> >                  vnc server
> >
> >
> >
> >    What I need is a way to force packets leave the router via the same
> >interface whose its request entered this.
> >    I''d like to hear opinions about the problem (and also
solution =).
> >Remember, I can''t apply the DGD patch from J.A. because it
only checks
> >the first hop for dead detection.
> >    I will apreciate any help.
> >
> >    Thank you,
> >
> >
> >
> >    Tom Lobato
> >
> >
> >_______________________________________________
> >LARTC mailing list
> >LARTC@mailman.ds9a.nl
> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> 
> I had overlooked this. I had also faced a similar problem.  There are
> two possible solutions, one is to apply Julian''s patches because
even
This sounds exactly like my problem, until I appplied julian''s patch, I
would
suggest giving it  a try
> though you are not using the patches for DGD, they do help in making
> NAT processing with multiple gateways work properly. The other option
> is to mark the packets using CONNTRACK. There was a good discussion on
> this topic some days back. You can check the thread using the
> following links to the archives:
> 
> http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
> 
> -- 
> Manish Kathuria
> Tux Technologies
> http://www.tuxtechnologies.co.in/
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

I solved this exact problem (with incoming connections on three
different adsl) markin packets on PREROUTING chain. Obviously with
three different routing tables.

# incoming connections for DNAT to DMZ need to be marked here in PREROUTING
iptables -t mangle -N mymark
iptables -t mangle -F mymark
# first of all RETURN for "local" interfaces
iptables -t mangle -A mymark -i $E0_IF -j RETURN
iptables -t mangle -A mymark -i $DMZ_IF -j RETURN
iptables -t mangle -A mymark -i $VPN_IF -j RETURN
# then mark and save incoming connections from the external universe
iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M
iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M
iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M
iptables -t mangle -A mymark -j CONNMARK --save-mark

#restore mark before ROUTING decision
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark

# non marked incoming connections need to be marked (DNAT to DMZ only)
iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark



On 3/2/07, Alex Samad <alex@samad.com.au> wrote:
> On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote:
> > On 3/2/07, Tom Lobato <tomlobato@gmail.com> wrote:
> > >
> > >
> > >    Hi all!
> > >
> > >
> > >    After that good thread "DGD patch not detecting dead
gateway" I was
> > >able to set up a Load Balancing with ping based DGD (without
Julian
> > >Anastasov patch). But now I''m facing a new problem and
tried some
> > >options, with only partial solutions.
> > >
> > >    I made a script based on
> > >http://www.mail-archive.com/lartc@mailman.ds9a.nl/msg16257.html
(Thank
> > >you Manish Kathuria), without Julian A. patch, and with
routes/rules as
> > >described in nano.txt. It works fine, but...
> > >
> > >    The problem: I do DNAT for internet located people to access
my LAN
> > >machines (VNC, RDP, etc...). It sometimes works, sometimes
don''t work.
> > >It appears that the connection from outside can enter, but when
reply
> > >packets try to get back across nat machine, it falls into the
round
> > >robin default route selection to define its gateway. Well, of
course,
> > >this reply must leave the router via the same interface whose
initial
> > >packets entered.
> > >
> > >
> > >    vnc initial
> > >request packet      reply that got
> > >            \                   wrong route
> > >             \                       ^
> > >              \                     /
> > >              V                  /
> > >              isp1 isp2 isp3
> > >               _|____|____|__
> > >              |                    |
> > >              |      dnat      |
> > >              |_____________|
> > >                        ^
> > >                         |
> > >                         |
> > >                        V
> > >              LAN estation, the
> > >                  vnc server
> > >
> > >
> > >
> > >    What I need is a way to force packets leave the router via the
same
> > >interface whose its request entered this.
> > >    I''d like to hear opinions about the problem (and also
solution =).
> > >Remember, I can''t apply the DGD patch from J.A. because
it only checks
> > >the first hop for dead detection.
> > >    I will apreciate any help.
> > >
> > >    Thank you,
> > >
> > >
> > >
> > >    Tom Lobato
> > >
> > >
> > >_______________________________________________
> > >LARTC mailing list
> > >LARTC@mailman.ds9a.nl
> > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> > >
> >
> > I had overlooked this. I had also faced a similar problem.  There are
> > two possible solutions, one is to apply Julian''s patches
because even
>
> This sounds exactly like my problem, until I appplied julian''s
patch, I would
> suggest giving it  a try
>
> > though you are not using the patches for DGD, they do help in making
> > NAT processing with multiple gateways work properly. The other option
> > is to mark the packets using CONNTRACK. There was a good discussion on
> > this topic some days back. You can check the thread using the
> > following links to the archives:
> >
> > http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html
> > http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html
> >
> > --
> > Manish Kathuria
> > Tux Technologies
> > http://www.tuxtechnologies.co.in/
> > _______________________________________________
> > LARTC mailing list
> > LARTC@mailman.ds9a.nl
> > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFF6G04kZz88chpJ2MRAplNAKDrYspoCJYOEe3+3xMllBDP0vAuLQCgvBsM
> 3HkDStEOSQErTD2RarWObXs> =/G6Y
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>

On Fri, Mar 02, 2007 at 07:34:34PM +0100, francesco messineo
wrote:
> I solved this exact problem (with incoming connections on three
> different adsl) markin packets on PREROUTING chain. Obviously with
> three different routing tables.
> 
> # incoming connections for DNAT to DMZ need to be marked here in PREROUTING
> iptables -t mangle -N mymark
> iptables -t mangle -F mymark
> # first of all RETURN for "local" interfaces
> iptables -t mangle -A mymark -i $E0_IF -j RETURN
> iptables -t mangle -A mymark -i $DMZ_IF -j RETURN
> iptables -t mangle -A mymark -i $VPN_IF -j RETURN
> # then mark and save incoming connections from the external universe
> iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M
> iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M
> iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M
> iptables -t mangle -A mymark -j CONNMARK --save-mark
> 
> #restore mark before ROUTING decision
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> 
> # non marked incoming connections need to be marked (DNAT to DMZ only)
> iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark
> 
Hi

i know there was a thread on this methiod earlier, but has somebody put up a
howto, or a wiki page on it ?

alex


_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Thank you all! Solved.

  I used the Julian A. patch. I already had applied/used it, but with
new scripts I changed the kernel. So only rebooted with this patched
kernel again and all works fine.

  For now it''s good, but I liked the CONNMARK way to do the things
that you told me. Likely in the future I`ll abandon the patch and only
use iptables and scripts for the job.

  Thank you for all suggestions. Even with things working, I will test
all ideas/scripts. I think would be fine to publish a repository with
such scripts, mini-howtos and solutions, or of course, add all it to
LARTC howto. If it already exists please tell me, else, lets begin!?




  Tom Lobato