| View previous topic :: View next topic |
| Author |
Message |
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
 Posted: Tue Jan 06, 2004 4:57 pm Post subject: Complicated Routing Scheme |
 |
|
Currently our internet traffic goes through the overloaded host at a remote location via WAN (remote network 192.168.44.0/24). Along with internet traffic, telnet and samba traffic also move across the WAN. What I am looking at doing is setting up a Broadband ISP locally for internet traffic, but still run telnet and samba traffic across the WAN. The current config (not by my hands) looks like this:
| Code: |
Cisco Local LAN Interface(192.168.58.0/24)<<>>Cisco Local WAN Interface(172.17.254.6 255.255.255.252)>> ------------------------------------------------------------------------------------------------------------------------------------------- <<Cisco Remote WAN Interface(172.17.254.5 255.255.255.252)<<>>Cisco Remote LAN Interface(192.168.44.254 255.255.255.0) |
Where 'Local' designates interfaces on the local Cisco router and 'Remote' designates interfaces on the remote Cisco router.
I have a Gentoo box with 3 NICs (eth0,eth1,eth2). I would like to use this box to route the new internet traffic properly. Here is a diagram of what I've been thinking:
| Code: | __INTERNET(eth0:68.202.0.0/16)
/
/
/
/
LAN (eth2:192.168.58.0/24)---GENTOO BOX
\
\
\
\__WAN(eth1:192.168.59.2)>>Local Cisco LAN Interface(192.168.59.1)--.... |
Seeing how I don't have a WAN interface for the Linux Box, I'm going to have to route WAN traffic from it through the Cisco router. This will involve changing the Cisco Fast Ethernet0 IP to 192.168.59.1, but it is the simplest 'drop-in' plan I could come up with (All PCs on the 58.0 network are setup with DHCP, but there are several devices that must remain with a static 58.x address).
I read this and learned a ton about routing and Linux, but haven't found a solution to route in this fashion. I tried the following command, but all traffic still moves through the default gateway. If I remove the default gateway traffic doesn't know where to go:
| Code: | | ip rule add to 192.168.44.0 priority 0 table T2 |
Where T2 was added like this: | Code: |
echo 202 T2 >> /etc/iproute2/rt_tables
ip route add 192.168.59.0 dev eth1 src 192.168.59.2 table T2
ip route add default via 192.168.59.1 table T2 |
It is obvious I'm a beginner at this sort of thing. Is a 'drop-in' solution with Linux viable? Any issues being forseen? Please critique this as you see fit. 
EDIT: Changed some of the diagram to hopefully provide better information.  
_________________
only the paranoid survive
Last edited by ixion on Tue Jan 06, 2004 7:10 pm; edited 3 times in total |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Tue Jan 06, 2004 6:39 pm Post subject: |
|
|
I couldn't make much sense out of your network setup - where, for example, are workstations connected exactly ? and what is the role of the local Cisco interfaces ?
If this signifies just TWO Cisco routers, then you might have de-cluttered the situation by saying so !
Anyway - there's no need to mess with the Cisco setup.
Just configure the Gentoo machine to filter out all internet-bound traffic (with iptables) and put the Gentoo box between the LAN and the router - problem solved. |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Tue Jan 06, 2004 7:08 pm Post subject: |
|
|
sorry... I have a terrible time taking what's in my head and typing/writing/drawing it... I also have a bad habit of making things much more complicated than they really are... please forgive me.
What exactly would I use in IPTABLES to redirect internet traffic?
The Gentoo box will sit in between the LAN section and the INTERNET/WAN sections.
_________________
only the paranoid survive |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Jan 06, 2004 7:47 pm Post subject: |
|
|
Hi!
It's not that complicated at all...
What you need to do is to configure your Gentoo box in a way that
a) the default gateway is the ISP router (68.202.x.y)
b) traffic to 192.168.44.0/24 is routed to the old cisco (192.168.58.x)
c) all traffic from local (eth2:192.168.58.0/24) to internet (eth0) gets NATed to the 68.202.x.y address of your Gentoo box
After that reconfigure all workstations to use the Gentoo box as default gateway. (for the DHCP stations just alter the config there to give out the new gateway, all the others have to be configured manually)
You definately MUST NOT change the ip subnet from .58 to .59!
HTH
T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Tue Jan 06, 2004 8:21 pm Post subject: |
|
|
My only question now is, what iptables statement would re-route the 192.168.44.0/24 traffic? The following is what comes to mind, but I don't know the usage of REDIRECT:
| Code: |
$IPTABLES -A PREROUTING -d 192.168.44.0/24 -j REDIRECT --to 192.168.58.1
|
EDIT: REDIRECT looks like it only applies to ports (--to-ports). Any target suggestions on changing the traffic's entire route?
_________________
only the paranoid survive |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Tue Jan 06, 2004 9:11 pm Post subject: |
|
|
That is of course accomplished with a simple routing table entry - you can't use iptables for that!
You have three NICs on the box, for LAN, INET and WAN.
If you set the interfaces up correctly the Gentoo box will AUTOMATICALLY route the correct packets to the correct interfaces.
To enable routing on a Linux box all you need is
| Code: |
echo 1 > /proc/sys/net/ipv4/ip_forward
|
The important things are:
1) EVERY box on the local LAN has to use the gentoo box as its gateway, whether for the internet or the remote WAN link. The gentoo box will decide what goes where.
2) You will have to change the address on the LAN side of the Cisco router (whatever that dude said) - you can't avoid it.
The only way that you could still use the .58.x addresses on the LAN, the Cisco AND the Gentoo box would be to bridge the NICs together - you may want to look into that.
3) On the gentoo box, set up the interfaces with appropriate addresses, and correct routing table entries will automagically be added.
You need to make the internet NIC the default gateway.
What you will especially need to change on the Cisco is the gateway for the WAN - you have to point it to the Gentoo box yourself (or use a routing protocol, which is overkill for 3 routers ).
That's basically it, but the iptables bit comes in ONLY when you would want to distinguish between WAN-packets and INET packets, but since there are 2 networks this is not an issue.
To get the Gentoo box to masquerade the inet connection all you need is one line:
| Code: |
#iptables -t nat -A POSTROUTING -o <INET> -j SNAT --to-source <IP-INET>
|
Where INET is the NIC connecting to the internet, and IP-INET is the address of the Gentoo box on the Internet.
The packets coming from the WAN through the Cisco router will never be forwarded to this interface, as they will not have crossed the WAN link in the first place - hence no problems there.
That's all - you now have an internet-masquerading WAN-routing dingamaboo-box... enjoy. |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Jan 06, 2004 9:18 pm Post subject: |
|
|
| adaptr wrote: |
2) You will have to change the address on the LAN side of the Cisco router (whatever that dude said) - you can't avoid it.
The only way that you could still use the .58.x addresses on the LAN, the Cisco AND the Gentoo box would be to bridge the NICs together - you really don't want to go there.
|
Why?
I've more than one networks build exactly that way (not with gentoo boxes, but this doesn't matter) - and all of them are working perfectly.
Business traffic goes 'PC' -> 'Gentoo' -> WAN -> corporate central
Internet traffic goes 'PC' -> 'Gentoo' -> ISP
Just basic routing stuff....
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Tue Jan 06, 2004 10:22 pm Post subject: |
|
|
Because - he will end up connecting the .58.x LAN to the .58.x interface of the gentoo box, which he will then connect via a .58.x interface to the Cisco box - also on .58.x
Basic IP networking: you can't route over that.
There are a few solutions, including further subnetting of the .58 subnet, or bridging the LAN to the Cisco but only for the right source addresses (so not trivial), and - the easiest solution - re-assign the addresses.
If not for the WAN link he could easily get rid of the Cisco router altogether - that would be bliss. |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Jan 06, 2004 11:09 pm Post subject: |
|
|
icmp_redirect?
routing from 58 to 58 would not work, correct - but thats not needed anyways.
PC wants to connect to central site...
first packet -> gentoo, you are my default gw; do the routing for me
gentoo... 'i have annother router for you, go over there' -> PC (icmp_redirect)
PC records the route, uses it for every further packet in this connection
magic done!
as stated before - i have this kind of setup in >1 locations and it is working perfectly, no matter if its a windows box, a unix machine, an hp printerbox or whatever.
Otherwise it would NEVER EVER be possible to have networks with more than one router in it, would it?
Kicking out the cisco could be a problem.. ever had a frame-relay or ATM connection configured with linux (plus maybe a little bit bgp4 or whatever?)
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
dreamwolf
n00b
Joined: 22 May 2002
Posts: 17
Location: Mount Laurel, NJ, USA
|
| Posted: Tue Jan 06, 2004 11:41 pm Post subject: Re: Complicated Routing Scheme |
|
|
So, the WAN destinations don't exist within a definite subnet or range of IP addresses, yet you want only traffic destined for telnet and samba ports to be directed over the WAN; the rest of the traffic will go out through the broadband connection. Does that sound correct?
To the best of my knowledge, iptables can't do "real" routing (i.e. choose a gateway for a packet), and iproute can't make decisions based upon ports (only source/destination addresses/devices). One possibility is to create one route (to the WAN) for traffic that originates from the router and another for all other traffic (to the Internet), then fake it so that samba and telnet traffic appear to be from the router itself for routing purposes:
(Forgive me if I got something in the syntax wrong - I have no UNIX cmdline to check myself.)
First, the real routing:
| Code: | ip route add default via 192.168.59.1 dev eth1 src 192.168.59.2
ip route add default via 68.202.0.1 dev eth0 #guessing gw IP
|
Second, the fake routing:
| Code: | iptables -t nat -A PREROUTING -p tcp -m mports --dports samba,telnet \
-j SNAT 192.168.59.2
|
I've never actually had to do the above, though, so I could be missing something completely obvious to someone more competent than myself. For instance, I'm sure something about there being two "default" routes is a no-no. Blast, I wish I had iproute installed on my laptop. (Guess what I'm doing as soon as I get home...)
dreamwolf |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Wed Jan 07, 2004 11:11 am Post subject: |
|
|
| Think4UrS11 wrote: | | Otherwise it would NEVER EVER be possible to have networks with more than one router in it, would it? |
Of course it would - you can make as much static routes as you like.
(I never claimed it was the easiest way).
| Think4UrS11 wrote: | | Kicking out the cisco could be a problem.. ever had a frame-relay or ATM connection configured with linux (plus maybe a little bit bgp4 or whatever?) |
No... but then, neither has he - if he has ATM or FR uplinks to a remote office then the internet traffic should not be a bottleneck...
And I didn't say "ditch the Cisco router" - I said "but for the need of the WAN link". |
|
| Back to top |
|
|
Mnemia
Guru
Joined: 17 May 2002
Posts: 476
|
| Posted: Wed Jan 07, 2004 12:24 pm Post subject: |
|
|
Another possibility is mark based routing. While it is true that you can't directly use iptables to do routing, you can use it to control the routing interface. You can have iptables select various packets by whatever criteria you want in the PREROUTING table. Then, you tell iptables to mark the packets with a netfilter mark, which can act as an identifier for the packets in the routing subsystem. Then you can make two (or more) completely separate routing tables for packets with different mark values using iproute (the standard route utility is too limited to allow you to do that, but the Linux kernel supports multiple routing tables.) Then you can actually have different default gateways for different classes of packets!
Voila, instant multipath routing with extremely flexible iptables based packet selection. |
|
| Back to top |
|
|
|
Networking & Security
