Gentoo Router - Interface Bonding & IPTables?

Crimjob · Tux's lil' helper Joined: 04 Dec 2006 Posts: 111

Hello again all,

I recently wanted to give interface bonding a go and I seem to be having some issues. I have a current set of firewall rules with iptables set up to act as a router, with LAN as ETH1 and WAN as ETH0. This works fine when I only have the two interfaces.

I was thinking it would be simple enough, comment out individual interfaces, set up bonding, start the bonded interface, change iptable rules to suit, but apparently I was wrong.

I was able to comment out individual interfaces, set up and start bonding, at which point I'm still able to access the server no problem, but since iptables isn't running, no internet for my LAN.

This is where it seems to get tricky. I only have 4 mentions of eth1 in my iptables setup, and I changed all of those to bond0, loaded iptables, and I stay connected to SSH, can still browse the server locally etc., but still no internet for my LAN. I even tried allowing bond0, eth1, eth2 in iptables but no change.+

I really don't understand what I'm doing wrong here, it seems fairly straight forward. Is there something specific to be done to the bonded interface? Or something specific within iptables?

my /etc/conf.d/net

richard.scott · Posted: Mon Jan 24, 2011 4:31 pm Post subject:

I don't think you've set a default gateway for bond0

Crimjob · Tux's lil' helper Joined: 04 Dec 2006 Posts: 111

Don't have one set for eth1 unbonded either and it's working fine?

My WAN interface is currently dynamic IP, not sure what I'd put for route.

Rest of my conf.d/net

Hu · Administrator Joined: 06 Mar 2007 Posts: 23193

It appears your nat rules are all duplicated. Additionally, you could combine many of your rules into simpler ones by using the ability to match a range of contiguous ports and the ability to omit a destination port on the DNAT target, thereby preserving the original destination port.

Your rule THRU is written as though it were to permit traffic which you are NATing, but you attached it to INPUT instead of FORWARD. Additionally, many of the THRU rules could benefit from consolidation via use of contiguous ports.

Crimjob · Tux's lil' helper Joined: 04 Dec 2006 Posts: 111

Yeah my rules are a bit of a hack job, and they may have been duplicated during a network outage in attempt of a speedy recovery. I am also not overly knowledgeable with IPTables, as I have not found a solid resource which accomplishes what I want to do for an example to work off of, and as such, this is pretty much a combination of the many tutorials I've found on the net.

I should be able to consolidate them, but I'm a bit confused on your other notes, as well as the fact that this current config works with eth1 but not bond0.

Would I just change

Hu · Administrator Joined: 06 Mar 2007 Posts: 23193

Yes, to both of your questions.

Crimjob · Tux's lil' helper Joined: 04 Dec 2006 Posts: 111

Thank you sir! That definitely helped, quite a bit of browsing laggyness disappeared with that forward change.

I'll see what I can do for consolidation / cleaning up to make it a bit more clear, then I'll try to re-visit interface bonding.
_________________
"Who are you to judge the life I live? I know I'm not perfect and I don't live to be, but before you start pointing fingers... make sure your hands are clean." ~Bob Marley