[LARTC] Two outbound internet links, using one network interface

Radu Oprisan radu at securesystems.ro
Wed Oct 11 13:17:23 CEST 2006 

Radu Oprisan wrote:
> Dashamir Hoxha wrote:
>> Dashamir Hoxha wrote:
>>> Hi,
>>>
>>> I am trying to categorize the network traffic and to send it out 
>>> across two different providers.
>>> For this I mark the packets in the firewall (in the PREROUTING chain 
>>> of table mangle),
>>> and then use another routing table for the marked packets, which has 
>>> a different gateway
>>> from the main routing table. Basicaly I am following the cookbook 
>>> example in this page:
>>> http://linux-ip.net/html/adv-multi-internet.html
>>> with some small changes and modifications.
>>>
>>> The most important difference is that I am trying to use just one 
>>> external network interface,
>>> which is connected through a hub/switch  to both of the  ISP links. 
>>> I add two different IPs
>>> to this interface, corresponding to each providers network. Then the 
>>> masquerading is done
>>> with a rule like this:
>>>
>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of:
>>>
>>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 
>>> 67.17.28.12
>>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
>>> 205.254.211.179
>>>
>>> For the traffic that is generated in the LAN behind the box, it 
>>> works, but for the
>>> traffic that is generated in the localhost (routing box), it does 
>>> not work.
>>> Indeed, it cannot possibly work for the localhost with a setup like 
>>> this (with only
>>> one external interface). As it can be seen in this document:
>>> http://www.faqs.org/docs/iptables/traversingoftables.html
>>> (Table 3-2. Source local host)
>>> routing decision happens before the packet enters the chains of the 
>>> iptables
>>> (the chain PREROUTING is not tranversed in this case).
>>>
>>> This is not a big problem (it is not so important that the traffic 
>>> of the routing box
>>> be categorized as well), but trying to solve it, I came up with 
>>> another solution,
>>> which seems simpler.The idea is to use something like this:
>>>
>>> --------------------------------------------------------------------------------- 
>>>
>>> IPT=/sbin/iptables
>>> PORT_LIST="22 53"
>>> GATEWAY1=192.168.10.1
>>> GATEWAY2=192.168.100.1
>>>
>>> for PORT in $PORT_LIST
>>> do
>>>  $IPT -t nat -A POSTROUTING -o eth0 \
>>>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
>>> done
>>>
>>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
>>> ----------------------------------------------------------------------------- 
>>>
>>>
>>>
>>> I have not tested it yet but I don't see why it should not work.
>>
>
> for PORT in $PORT_LIST
> do
>
$IPT -t mangle -A PREROUTING -i eth_clients \
             -p tcp --dport $PORT -j MARK --set-mark 0x01
> done
>
> $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT 
> --to-source $GATEWAY2
> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
I'm sorry....

More information about the LARTC mailing list