[LARTC] 2 WAN links and DNAT
Benoit DELAGARDE
benoit at season-of-mist.com
Fri Nov 25 13:32:44 CET 2005
Hi
Here is a short description of my network:
ppp0 (adsl) ppp1 (adsl)
| |
| |
---------------------
| Router |
| Firewall |
| MASQUERAD |
| DNAT |
| |
| eth0 |
---------------------
|
|
|
----------------------
| |
Local Web and Mail
Network Server
I forward all incoming connection for http and SMTP to my server by using a
DNAT translation.
But I encounter a problem: All answer are routed to my default gateway
(ppp0)
If the connections come from ppp0 no problem, but if the connections come
from ppp1, the client never get answer.
I have de-activated rp_filtering but it seems that one of my providers use
this feature, and of course, this should be default gateway!
So I'm looking for a way to route the packets to the right interface.
Google gave my some solutions but no ones are working.
Here are my iptable
# Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
*filter
:INPUT DROP [2:184]
:FORWARD DROP [0:0]
:OUTPUT DROP [3:188]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j LOG
-A INPUT -s 127.0.0.0/255.0.0.0 -i ! lo -j DROP
-A INPUT -d 255.255.255.255 -i br0 -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i br0 -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -i br0 -p ! tcp -j ACCEPT
-A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j LOG
-A INPUT -s 192.168.1.0/255.255.255.0 -i ppp1 -j DROP
-A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j LOG
-A INPUT -s 192.168.1.0/255.255.255.0 -i ppp0 -j DROP
-A INPUT -d 255.255.255.255 -i ppp1 -j ACCEPT
-A INPUT -d 255.255.255.255 -i ppp0 -j ACCEPT
-A INPUT -d 213.41.177.180 -i ppp1 -j ACCEPT
-A INPUT -d 193.253.54.64 -i ppp0 -j ACCEPT
-A INPUT -j LOG
-A INPUT -j DROP
-A FORWARD -o ppp0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss
1400:1536 -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 4662 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 4662 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp1 -p udp -m udp --dport 4672 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp0 -p udp -m udp --dport 4672 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp1 -p tcp -m tcp --dport 5500 -j ACCEPT
-A FORWARD -d 192.168.1.100 -i ppp0 -p tcp -m tcp --dport 5500 -j ACCEPT
-A FORWARD -d 192.168.1.5 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.5 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp1 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 192.168.1.4 -i ppp0 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -j
ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp1 -j ACCEPT
-A FORWARD -s 192.168.1.0/255.255.255.0 -i br0 -o ppp0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG
-A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP
-A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG
-A FORWARD -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP
-A FORWARD -j LOG
-A FORWARD -j DROP
-A OUTPUT -p icmp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o br0 -j ACCEPT
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o br0 -j ACCEPT
-A OUTPUT -d 224.0.0.0/240.0.0.0 -o br0 -p ! tcp -j ACCEPT
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j LOG
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp1 -j DROP
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j LOG
-A OUTPUT -d 192.168.1.0/255.255.255.0 -o ppp0 -j DROP
-A OUTPUT -d 255.255.255.255 -o ppp1 -j ACCEPT
-A OUTPUT -d 255.255.255.255 -o ppp0 -j ACCEPT
-A OUTPUT -s ipofppp1 -o ppp1 -j ACCEPT
-A OUTPUT -s ipofppp0 -o ppp0 -j ACCEPT
-A OUTPUT -j LOG
-A OUTPUT -j DROP
COMMIT
# Completed on Fri Nov 25 12:21:59 2005
# Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
*mangle
:PREROUTING ACCEPT [13497:7096745]
:INPUT ACCEPT [119515:10818662]
:FORWARD ACCEPT [2263653:1380696494]
:OUTPUT ACCEPT [3681:323141]
:POSTROUTING ACCEPT [2445397:1397479483]
-A PREROUTING -i ppp0 -m state --state NEW -j MARK --set-mark 0x1
-A PREROUTING -i ppp1 -m state --state NEW -j MARK --set-mark 0x2
-A PREROUTING -j CONNMARK --save-mark
-A POSTROUTING -j CONNMARK --restore-mark
COMMIT
# Completed on Fri Nov 25 12:21:59 2005
# Generated by iptables-save v1.2.11 on Fri Nov 25 12:21:59 2005
*nat
:PREROUTING ACCEPT [169:12721]
:POSTROUTING ACCEPT [339:27714]
:OUTPUT ACCEPT [279:22659]
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.100:4662
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination
192.168.1.100:4662
-A PREROUTING -i ppp1 -p udp -m udp --dport 4672 -j DNAT --to-destination
192.168.1.100:4672
-A PREROUTING -i ppp0 -p udp -m udp --dport 4672 -j DNAT --to-destination
192.168.1.100:4672
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 5500 -j DNAT --to-destination
192.168.1.100:5500
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 5500 -j DNAT --to-destination
192.168.1.100:5500
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 666 -j DNAT --to-destination
192.168.1.5:22
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 666 -j DNAT --to-destination
192.168.1.5:22
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 667 -j DNAT --to-destination
192.168.1.4:22
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 667 -j DNAT --to-destination
192.168.1.4:22
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
192.168.1.4:80
-A PREROUTING -i ppp1 -p tcp -m tcp --dport 25 -j DNAT --to-destination
192.168.1.4:25
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 25 -j DNAT --to-destination
192.168.1.4:25
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp1 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o ppp0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 25 12:21:59 2005
And for my route table :
~> ip rule
0: from all lookup local
32764: from all fwmark 0x2 lookup nerim
32765: from all fwmark 0x1 lookup wanadoo
32766: from all lookup main
32767: from all lookup default
~> ip route list
80.10.246.1 dev ppp0 scope link
80.10.246.132 dev ppp0 scope link
62.4.16.245 dev ppp1 proto kernel scope link src 213.41.177.180
64.4.17.69 dev ppp1 scope link
64.4.16.70 dev ppp1 scope link
193.253.160.3 dev ppp0 proto kernel scope link src 193.253.54.64
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.1
default dev ppp1 scope link
~> ip route list table nerim
192.168.1.0 dev br0 scope link
default dev ppp1 scope link
~> ip route list table wanadoo
192.168.1.0 dev br0 scope link
default dev ppp0 scope link
I believe this should work but no.
tcpdump give me somthong like this :
12:35:04.073949 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0
12:35:04.074092 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0
12:35:07.072874 IP 82.227.29.100.32983 > 213.41.177.180.80: tcp 0
12:35:07.072997 IP 82.227.29.100.32983 > 192.168.1.4.80: tcp 0
Witch mean that my packets are sent to the right server, but I never get an
answer.
All work when I delete the rule below
32764: from all fwmark 0x2 lookup nerim
32765: from all fwmark 0x1 lookup wanadoo
My questions are:
- Did I make a mistake somewhere, or did I misunderstand
something(CERTAINLY)? Where?
- What can I do to solve this problem?
More information about the LARTC
mailing list