[LARTC] Two outbound internet links, using one network interface

Radu Oprisan radu at securesystems.ro
Wed Oct 11 13:05:12 CEST 2006 

Dashamir Hoxha wrote:
> Dashamir Hoxha wrote:
>> Hi,
>>
>> I am trying to categorize the network traffic and to send it out 
>> across two different providers.
>> For this I mark the packets in the firewall (in the PREROUTING chain 
>> of table mangle),
>> and then use another routing table for the marked packets, which has 
>> a different gateway
>> from the main routing table. Basicaly I am following the cookbook 
>> example in this page:
>> http://linux-ip.net/html/adv-multi-internet.html
>> with some small changes and modifications.
>>
>> The most important difference is that I am trying to use just one 
>> external network interface,
>> which is connected through a hub/switch  to both of the  ISP links. I 
>> add two different IPs
>> to this interface, corresponding to each providers network. Then the 
>> masquerading is done
>> with a rule like this:
>>
>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of:
>>
>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 67.17.28.12
>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
>> 205.254.211.179
>>
>> For the traffic that is generated in the LAN behind the box, it 
>> works, but for the
>> traffic that is generated in the localhost (routing box), it does not 
>> work.
>> Indeed, it cannot possibly work for the localhost with a setup like 
>> this (with only
>> one external interface). As it can be seen in this document:
>> http://www.faqs.org/docs/iptables/traversingoftables.html
>> (Table 3-2. Source local host)
>> routing decision happens before the packet enters the chains of the 
>> iptables
>> (the chain PREROUTING is not tranversed in this case).
>>
>> This is not a big problem (it is not so important that the traffic of 
>> the routing box
>> be categorized as well), but trying to solve it, I came up with 
>> another solution,
>> which seems simpler.The idea is to use something like this:
>>
>> --------------------------------------------------------------------------------- 
>>
>> IPT=/sbin/iptables
>> PORT_LIST="22 53"
>> GATEWAY1=192.168.10.1
>> GATEWAY2=192.168.100.1
>>
>> for PORT in $PORT_LIST
>> do
>>  $IPT -t nat -A POSTROUTING -o eth0 \
>>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
>> done
>>
>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
>> ----------------------------------------------------------------------------- 
>>
>>
>>
>> I have not tested it yet but I don't see why it should not work.
>

for PORT in $PORT_LIST
do
 $IPT -t nat -A PREROUTING -i eth_clients \
              -p tcp --dport $PORT -j MARK --set-mark 0x01
done

$IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT 
--to-source $GATEWAY2
$IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
> From the testing and meditation that I have done up to now, I have 
> arrived
> at the conclusion that this is not a solution for the problem of 
> traffic categorization.
> The reason is that POSTROUTING happens after the routing decision is 
> taken,
> so the route that is chosen is not affected by the source IP of the 
> packet.
> Am I right?
>
>>
>> Also, I have seen somewhere that using two IPs on the same interface 
>> may be risky
>> (may have security implications), but I don't see what they can be. 
>> If somebody has
>> any idea of them and how to avoid them, please let me know. E.g. I 
>> have heard about
>> "IP spoofing" but I don't understand what it is.
>>
>> Regards,
>> Dashamir
>>
>> _______________________________________________
>> LARTC mailing list
>> LARTC at mailman.ds9a.nl
>> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>>
>
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

More information about the LARTC mailing list