[LARTC] Two outbound internet links, using one network interface

Zoilo Gomez zoilo at xs4all.nl
Sun Oct 8 12:14:11 CEST 2006 

Dashamir Hoxha wrote:

> Hi,
>
> I am trying to categorize the network traffic and to send it out 
> across two different providers.
> For this I mark the packets in the firewall (in the PREROUTING chain 
> of table mangle),
> and then use another routing table for the marked packets, which has a 
> different gateway
> from the main routing table. Basicaly I am following the cookbook 
> example in this page:
> http://linux-ip.net/html/adv-multi-internet.html
> with some small changes and modifications.
>
> The most important difference is that I am trying to use just one 
> external network interface,
> which is connected through a hub/switch  to both of the  ISP links. I 
> add two different IPs
> to this interface, corresponding to each providers network. Then the 
> masquerading is done
> with a rule like this:
>
> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
> instead of:
>
> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12
> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
> 205.254.211.179
>

How about using iproute2 (instead of MASQ / SNAT rule):

=> ip route add 192.168.10.0/24 dev eth0 src 192.168.10.1
=> ip route add 192.168.100.0/24 dev eth0 src 192.168.100.1


> For the traffic that is generated in the LAN behind the box, it works, 
> but for the
> traffic that is generated in the localhost (routing box), it does not 
> work.
> Indeed, it cannot possibly work for the localhost with a setup like 
> this (with only
> one external interface). As it can be seen in this document:
> http://www.faqs.org/docs/iptables/traversingoftables.html
> (Table 3-2. Source local host)
> routing decision happens before the packet enters the chains of the 
> iptables
> (the chain PREROUTING is not tranversed in this case).
>
> This is not a big problem (it is not so important that the traffic of 
> the routing box
> be categorized as well), but trying to solve it, I came up with 
> another solution,
> which seems simpler.The idea is to use something like this:
>
> --------------------------------------------------------------------------------- 
>
> IPT=/sbin/iptables
> PORT_LIST="22 53"
> GATEWAY1=192.168.10.1
> GATEWAY2=192.168.100.1
>
> for PORT in $PORT_LIST
> do
>  $IPT -t nat -A POSTROUTING -o eth0 \
>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
> done
>
> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
> ----------------------------------------------------------------------------- 
>

> I have not tested it yet but I don't see why it should not work.
>
> Also, I have seen somewhere that using two IPs on the same interface 
> may be risky
> (may have security implications), but I don't see what they can be. If 
> somebody has
> any idea of them and how to avoid them, please let me know. E.g. I 
> have heard about
> "IP spoofing" but I don't understand what it is.


Using VLANs, you can separate the networks on the link level instead. 
This is the same (in software) as using 2 different LAN ports (in hardware).

Regards,

Z.

More information about the LARTC mailing list