[LARTC] 2 DSL link, DNAT & SNAT

marba marba@iol.it
Thu, 30 Sep 2004 15:59:17 +0200 

i can suggest you two different addresses on SRV_XP : external1 > dnat =
to internal1 & external2 > dnat to internal2 and 2 ip rules.
tell me how is this going as i am involved in a similar project right =
now.


----- Original Message -----=20
From: "Sandro Dentella" <sandro@e-den.it>
To: "lartc" <lartc@mailman.ds9a.nl>
Sent: Thursday, September 30, 2004 11:54 AM
Subject: [LARTC] 2 DSL link, DNAT & SNAT


> Sorry for the long descritpion of the problem, I'd like to know If I
> misunderstand something or if I meet an intrinsic limit of my setup.
>=20
>=20
> 217.58.51.162  HDSL eth1 -            SRV_XP: 192.168.254.10  =20
>                     eth0: 192.168.254.1 =
-----+------------------+------- =20
> 81.121.243.250 ADSL eth3 -
>=20
>=20
>   I want to allow incoming pptp request (port 1723) to be forwarded to
>   srv_xp (.10) both coming from ADSL & HDSL. From HDSL everything =
works
>   (note rule with prio 38) ADSL does not. From ADSL I can reach SRV_XP =
only
>   if I eliminate rule 38, but at that moment I cannot enter from =
HDSL...
>=20
>=20
>   My setup
>=20
>      + ip tables hdsl & adsl for the 2 dsl lines,=20
>   0:      from all lookup local=20
>   30:     from all fwmark        3 lookup hdsl=20
>   38:     from 192.168.254.10 lookup hdsl   <<=3D=3D NOTE this
>   40:     from 217.58.51.160/27 lookup hdsl=20
>   41:     from 81.121.243.248/30 lookup adsl=20
>   52:     from all iif eth0 lookup adsl=20
>   53:     from all iif eth2 lookup adsl=20
>   32766:  from all lookup main=20
>   32767:  from all lookup default=20
>      + hdsl table has default gw to HDSL line
>      + adsl table has default gw to ADSL line
>     =20
>      + DNAT & SNAT occurring from both dsl lines
>=20
>    Chain PREROUTING =20
>    DNAT tcp  0.0.0.0/0  81.121.243.250   tcp dpt:1723 =
to:192.168.254.10=20
>    DNAT tcp  0.0.0.0/0  217.58.51.162    tcp dpt:1723 =
to:192.168.254.10=20
>       =20
>    Chain POSTROUTING=20
>    SNAT all  --  *      eth1    0.0.0.0/0    0.0.0.0/0    =
to:217.58.51.162=20
>    SNAT all  --  *      eth3    0.0.0.0/0    0.0.0.0/0    =
to:81.121.243.250=20
>    SNAT tcp  --  *      eth0    0.0.0.0/0 192.168.254.10  tcp dpt:1723 =
to:192.168.254.1=20
>    [mangling occurs only on ports 3085, 5405, 5421 so that rule 30 =
(fwmark)=20
>    does nothing here. ]
>=20
>=20
>=20
>    I guess the problem is the routing table of the packet coming back =
from
>    SRV_XP: the ack packet does take a routing table different from the =
1^
>    incoming packet.=20
>=20
>    I added SNAT thinking to avoid asymmetric routing (income via adsl, =
out
>    via hdsl), but I'm not sure it works this way. What happens to an =
ACK
>    package? does the kernel use the routing table it arrived with or
>    recompute it after it realize it is RELATED to a connection already =
open?
>    Is this a question for this list or for netfilter list? ;-)
>=20
>=20
>    Thanks for any hint for a clean solution.
>=20
>    sandro
>    *:-)
>=20
>=20
> --=20
> Sandro Dentella  *:-)
> e-mail: sandro@e-den.it=20
> http://www.tksql.org                    TkSQL Home page - My GPL work
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/