1 |
On 05/27/2013 02:53 PM, Nick Khamis wrote: |
2 |
> And who says you can't teach an old man new tricks huh geezer ;)? |
3 |
> Thank you so much for your response!!! That sorts out outgoing |
4 |
> traffic, have you had to setup rules for incoming traffic? I mean |
5 |
> from the outside world to a server for example? |
6 |
> |
7 |
> Kind Regards, |
8 |
> |
9 |
> Nick. |
10 |
in this instance for me there is no need for incoming NAT |
11 |
however, all you need in the mangle table is for each incoming connection: |
12 |
# iptables -t mangle -I redirection 2 -i eth1 -j WAN1 |
13 |
to ensure that packet marking happens for incoming packets too, but |
14 |
after the RELATED connections are marked. |
15 |
in my example of 2 connections on each interface it gets messy and so I |
16 |
would suggest doing this for only one Internet connect per interface -- |
17 |
otherwise the return packets will be forced out one direction resulting |
18 |
in TCP handshakes failing. |
19 |
|
20 |
once you are flagging incoming packets, then normal iptables NAT rules |
21 |
can be used, |
22 |
if you have e.g. |
23 |
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j DNAT |
24 |
--to-destination 10.0.0.69 |
25 |
then this would apply for *all* external IP addresses. |
26 |
|
27 |
in this instance you could have DNS like this |
28 |
webserver1.domain.tld A externalIP-WAN1 |
29 |
A externalIP-WAN2 |
30 |
that would then allow you to to have some resiliency if you were hosting |
31 |
a web server behind two adsl connections and wanted to ensure a level of |
32 |
load balancing / robustness |
33 |
|
34 |
|
35 |
altenatively you can have |
36 |
iptables -t nat -I PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT |
37 |
--to-destination 10.0.0.69 |
38 |
iptables -t nat -I PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j DNAT |
39 |
--to-destination 10.0.0.70 |
40 |
|
41 |
which would allow you to have a different web server on each adsl |
42 |
connection. |
43 |
|
44 |
hope this helps, |
45 |
|
46 |
|
47 |
PS one thing i've just remembered is to be wary of |
48 |
/proc/sys/net/ipv4/conf/<interfaces>/rp_filter |
49 |
as the way it detects reverse paths seemingly is to ignore everything above |
50 |
|
51 |
/etc/sysctl.conf |
52 |
|
53 |
net.ipv4.conf.default.rp_filter |
54 |
|
55 |
rp_filter - BOOLEAN |
56 |
1 - do source validation by reversed path, as specified in RFC1812 |
57 |
Recommended option for single homed hosts and stub network |
58 |
routers. Could cause troubles for complicated (not loop free) |
59 |
networks running a slow unreliable protocol (sort of RIP), |
60 |
or using static routes. |
61 |
|
62 |
0 - No source validation. |