| 1 |
On 05/27/2013 02:53 PM, Nick Khamis wrote: |
| 2 |
> And who says you can't teach an old man new tricks huh geezer ;)? |
| 3 |
> Thank you so much for your response!!! That sorts out outgoing |
| 4 |
> traffic, have you had to setup rules for incoming traffic? I mean |
| 5 |
> from the outside world to a server for example? |
| 6 |
> |
| 7 |
> Kind Regards, |
| 8 |
> |
| 9 |
> Nick. |
| 10 |
in this instance for me there is no need for incoming NAT |
| 11 |
however, all you need in the mangle table is for each incoming connection: |
| 12 |
# iptables -t mangle -I redirection 2 -i eth1 -j WAN1 |
| 13 |
to ensure that packet marking happens for incoming packets too, but |
| 14 |
after the RELATED connections are marked. |
| 15 |
in my example of 2 connections on each interface it gets messy and so I |
| 16 |
would suggest doing this for only one Internet connect per interface -- |
| 17 |
otherwise the return packets will be forced out one direction resulting |
| 18 |
in TCP handshakes failing. |
| 19 |
|
| 20 |
once you are flagging incoming packets, then normal iptables NAT rules |
| 21 |
can be used, |
| 22 |
if you have e.g. |
| 23 |
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j DNAT |
| 24 |
--to-destination 10.0.0.69 |
| 25 |
then this would apply for *all* external IP addresses. |
| 26 |
|
| 27 |
in this instance you could have DNS like this |
| 28 |
webserver1.domain.tld A externalIP-WAN1 |
| 29 |
A externalIP-WAN2 |
| 30 |
that would then allow you to to have some resiliency if you were hosting |
| 31 |
a web server behind two adsl connections and wanted to ensure a level of |
| 32 |
load balancing / robustness |
| 33 |
|
| 34 |
|
| 35 |
altenatively you can have |
| 36 |
iptables -t nat -I PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT |
| 37 |
--to-destination 10.0.0.69 |
| 38 |
iptables -t nat -I PREROUTING -i eth3 -p tcp -m tcp --dport 80 -j DNAT |
| 39 |
--to-destination 10.0.0.70 |
| 40 |
|
| 41 |
which would allow you to have a different web server on each adsl |
| 42 |
connection. |
| 43 |
|
| 44 |
hope this helps, |
| 45 |
|
| 46 |
|
| 47 |
PS one thing i've just remembered is to be wary of |
| 48 |
/proc/sys/net/ipv4/conf/<interfaces>/rp_filter |
| 49 |
as the way it detects reverse paths seemingly is to ignore everything above |
| 50 |
|
| 51 |
/etc/sysctl.conf |
| 52 |
|
| 53 |
net.ipv4.conf.default.rp_filter |
| 54 |
|
| 55 |
rp_filter - BOOLEAN |
| 56 |
1 - do source validation by reversed path, as specified in RFC1812 |
| 57 |
Recommended option for single homed hosts and stub network |
| 58 |
routers. Could cause troubles for complicated (not loop free) |
| 59 |
networks running a slow unreliable protocol (sort of RIP), |
| 60 |
or using static routes. |
| 61 |
|
| 62 |
0 - No source validation. |
Archives