Hi all,
I''ve a routing problem. I''m setting up a router based on
debian (kernel
2.4).
I need to setup routing to export an ftp service (ftp server is in dmz)
to 2 wan (both).
I setup prerouting ad forward rule with no problem.
The problem is that reply packet use default gateway (default wan) even
though they are enter using the other wan.
I solved it marking packets in input from the dmz iface and force to use
another gateway (iproute2), but in this way I don''t export ftp service
on default wan.
how I can setup routing to export ftp service on both iface?
Thanks in advance,
Fabio
--
Dott. Fabio Marcone
2T srl
Telefono +39 - 0871- 540154
Fax +39 - 0871- 571594
Email fabio.marcone(AT)duet.it
Indirizzo Viale B. Croce 573
66013 Chieti Scalo (CH)
GNU/Linux registered user #400424
Fabio Marcone wrote:> Hi all, > I''ve a routing problem. I''m setting up a router based on debian (kernel > 2.4). > > I need to setup routing to export an ftp service (ftp server is in dmz) > to 2 wan (both). > > I setup prerouting ad forward rule with no problem. > > The problem is that reply packet use default gateway (default wan) even > though they are enter using the other wan. > > I solved it marking packets in input from the dmz iface and force to use > another gateway (iproute2), but in this way I don''t export ftp service > on default wan. > > how I can setup routing to export ftp service on both iface? > > Thanks in advance, > FabioOne way to do this: 1. Assign 2 private domain IP addresses to the ftp server and listen to both for ftp. IP1 and IP2 2. Map one IP each for WAN address. WAN1>>IP1 and WAN2>>IP2 3. On the Linux machine, set policy routing based on src IP of reply packet i.e. src IP1 goes thro'' WAN1 and src IP2 goes thro'' WAN2. Mohan
How about conn-marking the (NEW state)packets in POSTROUTING? -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Mohan Sundaram Sent: Friday, October 19, 2007 10:19 AM To: LARTC Subject: Re: [LARTC] exporting service on multiple wan Fabio Marcone wrote:> Hi all, > I''ve a routing problem. I''m setting up a router based on debian(kernel> 2.4). > > I need to setup routing to export an ftp service (ftp server is indmz)> to 2 wan (both). > > I setup prerouting ad forward rule with no problem. > > The problem is that reply packet use default gateway (default wan)even> though they are enter using the other wan. > > I solved it marking packets in input from the dmz iface and force touse> another gateway (iproute2), but in this way I don''t export ftp service > on default wan. > > how I can setup routing to export ftp service on both iface? > > Thanks in advance, > FabioOne way to do this: 1. Assign 2 private domain IP addresses to the ftp server and listen to both for ftp. IP1 and IP2 2. Map one IP each for WAN address. WAN1>>IP1 and WAN2>>IP2 3. On the Linux machine, set policy routing based on src IP of reply packet i.e. src IP1 goes thro'' WAN1 and src IP2 goes thro'' WAN2. Mohan _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
Salim S I wrote:> How about conn-marking the (NEW state)packets in POSTROUTING? >Would probably need to use conntrack ESTABLISHED,DNAT and ROUTE directive for packets coming from LAN to make sure packet goes out from the same interface it came on. Mohan
Sorry, I forgot for a moment it was DMZ. In mangle PREROUTING -j CONNMARK restore-mark -m mark --mark 0x0 -i WAN1 -j CONNMARK --set-mark 0x1 -m mark --mark 0x0 -i WAN2 -j CONNMARK --set-mark 0x2 Two routing tables, one for each mark. -----Original Message----- From: lartc-bounces@mailman.ds9a.nl [mailto:lartc-bounces@mailman.ds9a.nl] On Behalf Of Mohan Sundaram Sent: Friday, October 19, 2007 12:09 PM To: ''LARTC'' Subject: Re: [LARTC] exporting service on multiple wan Salim S I wrote:> How about conn-marking the (NEW state)packets in POSTROUTING? >Would probably need to use conntrack ESTABLISHED,DNAT and ROUTE directive for packets coming from LAN to make sure packet goes out from the same interface it came on. Mohan _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc