| View previous topic :: View next topic |
| Author |
Message |
johnlehardos
n00b
Joined: 16 Mar 2005
Posts: 29
|
 Posted: Wed Mar 16, 2005 6:28 pm Post subject: double isp connection |
 |
|
hi,
i am try to configure a firewall with 2 Internet connections :
| ppp0 - ISP 1 | eth0 - ISP 2
| |
-----------------------------
| |
| |
| |
| |
-----------------------------
| eth1 - local network
| Code: |
I want to use isp1 for pop packets and isp2 for smtp packet.
there is my config of net filter+ iptables:
# echo 1 > /proc/sys/net/ipv4/ip_forward
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -t nat -F
$iptables -t mangle -F
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth0 -j ACCEPT
$iptables -A OUTPUT -o ppp0 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#NAT
$iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 195.68.69.154
$iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source 82.127.43.220
#Ajout de tables
$echo 201 smtp >> /etc/iproute2/rt_tables
$echo 202 pop >> /etc/iproute2/rt_tables
#marquage
$iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 25 -j MARK --set-mark 25
$iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 110 -j MARK --set-mark 110
$ip rule add fwmark 25 table smtp
$ip rule add fwmark 110 table pop
#routes provider
$ip route add 195.68.69.153 dev eth0 src 195.68.69.154 proto kernel
$ip route add 193.253.160.3 dev ppp0 src 82.127.43.220 proto kernel
$ip route add 192.168.1.0/24 dev eth1 src 192.168.1.213 proto kernel
$ip route add 193.253.160.3 dev ppp0 src 82.127.43.220 proto kernel table pop
$ip route add 192.168.1.0/24 dev eth1 src 192.168.1.213 proto kernel table pop
$ip route add default via 193.253.160.3 dev ppp0 table pop
$ip route add 195.68.69.153 dev eth0 src 195.68.69.154 proto kernel table smtp
$ip route add 192.168.1.0/24 dev eth1 src 192.168.1.213 proto kernel table smtp
$ip route add default via 195.68.69.153 dev eth0 table smtp
$ip route flush cache
|
I don't know why but it doesn't work .
I think i have inclued all the required kernel modules.
Packets are only routed with the default route in the main routing table and not with the pop or smtp table.
Pings from local network to providers gateways are OK, so SNAT work correctly.
fwmark seems also to work correctly because we can see the packets number increasing when i make a iptables -t mangle -L -n -v and when I make for exemple a tcptraceroute www.google.fr 25 or tcptraceroute www.google.fr 110.
The only problem is that packets seems not enter my pop and smtp routing table, why ???
thx for help
help, please ! |
|
| Back to top |
|
 |
johnlehardos
n00b
Joined: 16 Mar 2005
Posts: 29
|
| Posted: Thu Mar 17, 2005 11:01 am Post subject: two gateways problem |
|
|
hi,
i am try to configure a firewall with 2 Internet connections and send pop paskets to ISP1 and smtp packets to ISP2 :
here is my rules for iptables and ip route : | Code: |
[code][/code]
# echo 1 > /proc/sys/net/ipv4/ip_forward
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -F FORWARD
$iptables -t nat -F
$iptables -t mangle -F
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth0 -j ACCEPT
$iptables -A OUTPUT -o ppp0 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#NAT
$iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 195.68.69.154
$iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j SNAT --to-source 82.127.43.220
#Ajout de tables
$echo 201 smtp >> /etc/iproute2/rt_tables
$echo 202 pop >> /etc/iproute2/rt_tables
#marquage
$iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 25 -j MARK --set-mark 25
$iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 110 -j MARK --set-mark 110
$ip rule add fwmark 25 table smtp
$ip rule add fwmark 110 table pop
#routes provider
$ip route add 195.68.69.153 dev eth0 src 195.68.69.154 proto kernel
$ip route add 193.253.160.3 dev ppp0 src 82.127.43.220 proto kernel
$ip route add 192.168.1.0/24 dev eth1 src 192.168.1.213 proto kernel
$ip route add 193.253.160.3 dev ppp0 src 82.127.43.220 proto kernel table pop
$ip route add 192.168.1.0/24 dev eth1 src 192.168.1.213 proto kernel table pop
$ip route add default via 193.253.160.3 dev ppp0 table pop
$ip route add 195.68.69.153 dev eth0 src 195.68.69.154 proto kernel table smtp
$ip route add 192.168.1.0/24 dev eth1 src 192.168.1.213 proto kernel table smtp
$ip route add default via 195.68.69.153 dev eth0 table smtp
$ip route flush cache
|
I don't know why but it doesn't work .
I think i have inclued all the required kernel modules.
Packets are only routed with the default route in the main routing table and not with the pop or smtp table.
Pings from local network to providers gateways are OK, so SNAT work correctly.
fwmark seems also to work correctly because we can see the packets number increasing when i make a iptables -t mangle -L -n -v and when I make for exemple a tcptraceroute www.google.fr 25 or tcptraceroute www.google.fr 110.
The only problem is that packets seems not enter my pop and smtp routing table, why ???
thx for help
help, please ! |
|
| Back to top |
|
|
sf_alpha
Tux's lil' helper
Joined: 19 Sep 2002
Posts: 136
Location: Bangkok, TH
|
| Posted: Thu Mar 17, 2005 6:34 pm Post subject: |
|
|
you does not set preferences of your rule
$ip rule add pref 100 fwmark 25 table smtp
$ip rule add pref 200 fwmark 110 table pop
If it not work, try use 0x in front of fwmark numbers 0x10, 0x25
_________________
Gentoo Mirrors in Thailand (and AP)
http://gentoo.in.th |
|
| Back to top |
|
|
johnlehardos
n00b
Joined: 16 Mar 2005
Posts: 29
|
| Posted: Fri Mar 18, 2005 9:03 am Post subject: |
|
|
thanx for reply but i have solved my problem.
The prefs are not set because automatically attributed with defaults values.
The problem was that I haven't set the balancing default route in main table :
ip route add default equalize nexthop via 195.68.69.153 dev eth0 nexthop via 193.253.160.3
thanx |
|
| Back to top |
|
|
|
Networking & Security
