[LARTC] Two outbound internet links, using one network interface

Dashamir Hoxha dasho at ma-isp.com
Wed Oct 11 14:29:38 CEST 2006 

Radu Oprisan wrote:
> Radu Oprisan wrote:
>> Dashamir Hoxha wrote:
>>> Dashamir Hoxha wrote:
>>>> Hi,
>>>>
>>>> I am trying to categorize the network traffic and to send it out 
>>>> across two different providers.
>>>> For this I mark the packets in the firewall (in the PREROUTING 
>>>> chain of table mangle),
>>>> and then use another routing table for the marked packets, which 
>>>> has a different gateway
>>>> from the main routing table. Basicaly I am following the cookbook 
>>>> example in this page:
>>>> http://linux-ip.net/html/adv-multi-internet.html
>>>> with some small changes and modifications.
>>>>
>>>> The most important difference is that I am trying to use just one 
>>>> external network interface,
>>>> which is connected through a hub/switch  to both of the  ISP links. 
>>>> I add two different IPs
>>>> to this interface, corresponding to each providers network. Then 
>>>> the masquerading is done
>>>> with a rule like this:
>>>>
>>>> # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE instead of:
>>>>
>>>> # iptables -t nat -A POSTROUTING -o eth4 -j SNAT --to-source 
>>>> 67.17.28.12
>>>> # iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 
>>>> 205.254.211.179
>>>>
>>>> For the traffic that is generated in the LAN behind the box, it 
>>>> works, but for the
>>>> traffic that is generated in the localhost (routing box), it does 
>>>> not work.
>>>> Indeed, it cannot possibly work for the localhost with a setup like 
>>>> this (with only
>>>> one external interface). As it can be seen in this document:
>>>> http://www.faqs.org/docs/iptables/traversingoftables.html
>>>> (Table 3-2. Source local host)
>>>> routing decision happens before the packet enters the chains of the 
>>>> iptables
>>>> (the chain PREROUTING is not tranversed in this case).
>>>>
>>>> This is not a big problem (it is not so important that the traffic 
>>>> of the routing box
>>>> be categorized as well), but trying to solve it, I came up with 
>>>> another solution,
>>>> which seems simpler.The idea is to use something like this:
>>>>
>>>> --------------------------------------------------------------------------------- 
>>>>
>>>> IPT=/sbin/iptables
>>>> PORT_LIST="22 53"
>>>> GATEWAY1=192.168.10.1
>>>> GATEWAY2=192.168.100.1
>>>>
>>>> for PORT in $PORT_LIST
>>>> do
>>>>  $IPT -t nat -A POSTROUTING -o eth0 \
>>>>               -p tcp --dport $PORT -j SNAT --to-source $GATEWAY2
>>>> done
>>>>
>>>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
>>>> ----------------------------------------------------------------------------- 
>>>>
>>>>
>>>>
>>>> I have not tested it yet but I don't see why it should not work.
>>>
>>
>> for PORT in $PORT_LIST
>> do
>>
> $IPT -t mangle -A PREROUTING -i eth_clients \
>             -p tcp --dport $PORT -j MARK --set-mark 0x01
>> done
>>
>> $IPT -t nat -A POSTROUTING -o eth0 -m mark --mark 0x01 -j SNAT 
>> --to-source $GATEWAY2
>> $IPT  -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $GATEWAY1
> I'm sorry....
Ok, it may work like this, I have to try it.
By the way, instead of $GATEWAY1 and $GATEWAY2 above, $IP1 and $IP2
must be used instead; it was a mistake.

More information about the LARTC mailing list