[LARTC] Two outbound internet links, using one network interface

Dashamir Hoxha dasho at ma-isp.com
Sat Oct 14 11:29:31 CEST 2006 

Dashamir Hoxha wrote:
> Pio Mendez wrote:
>>
>>  
>>
>>     >Pio Mendez wrote:
>>     >>PREROUTING chain is not traversed by local traffic, but OUTPUT
>>     >>chain does.
>>     >
>>     >I think that OUTPUT is traversed after routing decision is 
>> taken, so
>>     >it is still the same problem.
>>
>>
>>     I'm using OUTPUT chain in production environment to balance squid
>>     box traffic between 2 ISP, so I'm sure that you can reroute output
>>     packets using mangle OUTPUT chain.
>>
>>     After traversing mangle and nat OUTPUT chains there is another
>>     routing process. Please check this diagram:
>>
>>     http://www.imagestream.com/~josh/PacketFlow.png
>>     <http://www.imagestream.com/%7Ejosh/PacketFlow.png>
>>
> Pio Mendez is right. I have just tested it and it works.
If I use:
     iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
instead of:
     iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT 
--to-source $IP2
     iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
it seems not to work. So, maybe I didn't test it properly and actualy
it doesn't work. Anyway, it is not so important.

Dashamir

> Now the script becomes something like this:
>
> -------------8<----------------------------------
> ip link set eth0 up
> ip address flush eth0
> ip address add $IP1 dev eth0
> ip address add $IP2 dev eth0
>
> route add to default via $GATEWAY1
>
> ip route flush table 2
> ip route show table main | grep -Ev ^default \
> | while read ROUTE ; do ip route add table 2 $ROUTE ; done
> ip route add table 2 default via $GATEWAY2
>
> ip rule del fwmark 2 table 2   2>/dev/null
> ip rule add fwmark 2 table 2
>
> iptables -t mangle -N MARK-RULES
> iptables -t mangle -A PREROUTING -j MARK-RULES
> iptables -t mangle -A OUTPUT -j MARK-RULES
>
> PORT_LIST="22 53"
> for PORT in $PORT_LIST
> do
> iptables -t mangle -A MARK-RULES -m tcp -p tcp -dport $PORT -j MARK 
> --set-mark 0x2
> done
>
> iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT 
> --to-source $IP2
> iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
> ------------8<---------------------------------
> _______________________________________________
> LARTC mailing list
> LARTC at mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>

More information about the LARTC mailing list