Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Internet Routing problem [SOLVED]
 View unanswered posts
View posts from last 24 hours

rackathon
 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Dreadfull2007
n00b
n00b


Joined: 28 Feb 2007
Posts: 54
PostPosted: Fri May 16, 2008 6:13 am    Post subject: Internet Routing problem [SOLVED] Reply with quote
Hi all, i checked many topics but still couldn't make it work, here's my config:

ifconfig:
Code:

eth0      Link encap:Ethernet  HWaddr 00:50:BF:B2:C1:84
          inet addr:86.55.164.100  Bcast:86.55.164.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2698100 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6347497 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:213438385 (203.5 Mb)  TX bytes:614578657 (586.1 Mb)
          Interrupt:9 Base address:0x2400

eth1      Link encap:Ethernet  HWaddr 00:50:BF:B8:07:BA
          inet addr:81.181.157.98  Bcast:81.181.157.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2688190 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36990 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:210334901 (200.5 Mb)  TX bytes:3867527 (3.6 Mb)
          Interrupt:10 Base address:0x4800

eth2      Link encap:Ethernet  HWaddr 00:50:BF:B8:07:6D
          inet addr:192.168.192.1  Bcast:192.168.192.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5203914 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39574 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:428929236 (409.0 Mb)  TX bytes:2122514 (2.0 Mb)
          Interrupt:11 Base address:0x6c00

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:204682 errors:0 dropped:0 overruns:0 frame:0
          TX packets:204682 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:27402793 (26.1 Mb)  TX bytes:27402793 (26.1 Mb)


ip addr show:
Code:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 3a:d4:22:09:1a:c1 brd ff:ff:ff:ff:ff:ff
3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
    link/ether 2e:6c:fe:ad:bd:f4 brd ff:ff:ff:ff:ff:ff
4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32
    link/ether 06:f9:6e:a5:f0:f3 brd ff:ff:ff:ff:ff:ff
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:bf:b2:c1:84 brd ff:ff:ff:ff:ff:ff
    inet 86.55.164.100/24 brd 86.55.164.255 scope global eth0
    inet 86.55.164.101/24 brd 86.55.164.255 scope global secondary eth0
    inet 86.55.164.102/24 brd 86.55.164.255 scope global secondary eth0
    inet 86.55.164.103/24 brd 86.55.164.255 scope global secondary eth0
    inet 86.55.164.104/24 brd 86.55.164.255 scope global secondary eth0
    inet 86.55.164.105/24 brd 86.55.164.255 scope global secondary eth0
6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:bf:b8:07:ba brd ff:ff:ff:ff:ff:ff
    inet 81.181.157.98/24 brd 81.181.157.255 scope global eth1
    inet 81.181.157.99/24 brd 81.181.157.255 scope global secondary eth1
7: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:bf:b8:07:6d brd ff:ff:ff:ff:ff:ff
    inet 192.168.192.1/24 brd 192.168.192.255 scope global eth2
    inet 192.168.192.2/24 brd 192.168.192.255 scope global secondary eth2
8: teql0: <NOARP> mtu 1500 qdisc noop qlen 100
    link/void
9: tunl0: <NOARP> mtu 1480 qdisc noop
    link/ipip 0.0.0.0 brd 0.0.0.0
10: gre0: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0

iptables -L:
Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain ICMP (0 references)
target     prot opt source               destination

Chain TCP (0 references)
target     prot opt source               destination

Chain UDP (0 references)
target     prot opt source               destination

(removed old rules till i make it work)

iptables -t nat -L:
Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

(tryied with SNAT/DNAT too)

ip rule:
Code:

0:      from all lookup local
32672:  from 81.181.157.99 lookup rds
32673:  from 81.181.157.98 lookup rds
32674:  from 86.55.164.105 lookup evolva
32675:  from 86.55.164.104 lookup evolva
32677:  from 86.55.164.102 lookup evolva
32678:  from 86.55.164.101 lookup evolva
32679:  from 86.55.164.100 lookup evolva
32766:  from all lookup main
32767:  from all lookup default


ip route:
Code:

192.168.192.3 dev eth0  scope link  src 86.55.164.103
192.168.192.0/24 dev eth2  scope link  src 192.168.192.1
81.181.157.0/24 dev eth1  proto kernel  scope link  src 81.181.157.98
86.55.164.0/24 dev eth0  proto kernel  scope link  src 86.55.164.100
127.0.0.0/8 dev lo  scope link
default via 86.55.164.1 dev eth0


results: pinging works, web/other don't
tcpdump output when trying to surf on web:
Code:

13:34:18.963114 IP 86.55.164.103.4947 > www.yahoo.com.http: S 3191559746:3191559746(0) win 32767 <mss 1460,nop,wscale 0,nop,nop,sackOK>
13:34:21.912616 IP 86.55.164.103.4947 > www.yahoo.com.http: S 3191559746:3191559746(0) win 32767 <mss 1460,nop,wscale 0,nop,nop,sackOK>


by removing 192.168.192.3 dev eth0 scope link src 86.55.164.103 nothing changes except in traceroute (from windows) instead of 86.55.164.103 i get 192.168.192.3 (my lan ip)

my scheme:
eth0 - isp1 (gw 86.55.164.1)
eth1 - isp2 (gw 81.181.157.98)
eth2 - lan (192.168.192.1, 192.168.192.2)

actually all 3 nics are connected to the same switch (isp's are from lan too)
i'm trying to route 192.168.192.3 (myself) throughout 86.55.164.103, 192.168.192.4 by 86.55.164.104 and so on
i did read on tldp.org / netfilter.org / lartc.org .. (weird .. still nothing)

Q1: Do i need to add any ip's to a 3rd table for eth2 ? (already tried)
Q2: Could it be a problem because i have two isp's ? (even if i'm curently using only one, eth1 isn't used right now)

This is what i tryied for SNAT/DNAT:

iptables -t nat -A POSTROUTING -s 192.168.192.3 -j SNAT --to 86.55.164.103
iptables -t nat -A PREROUTING -d 86.55.164.103 -j DNAT --to 192.168.192.3
(with MASQUERADE rule removed and FORWARD rule still set to ACCEPT everyting on any iface)
thanks in advance

P.S: I have everything built-in into the kernel (NAT/etc) and:
/proc/sys/net/ipv4/ip_forward - 1
/proc/sys/net/ipv4/tcp_syncookies - 1
/proc/sys/net/ipv4/conf/*/rp_filter - 1
/proc/sys/net/ipv4/conf/*/accept_source_route - 1
/proc/sys/net/ipv4/conf/*/forwarding - 1
/proc/sys/net/ipv4/conf/*/mc_forwarding - 1
CONFIG_IP_MULTIPLE_TABLES - 1 (for source routing)


Later Edit:

Tryied the "easiest" way possible ... still it's a "NO", still being able to ping *only*

ip route:
Code:

81.181.157.0/24 dev eth1  proto kernel  scope link  src 81.181.157.98
86.55.164.0/24 dev eth0  proto kernel  scope link  src 86.55.164.100
127.0.0.0/8 dev lo  scope link
default via 86.55.164.1 dev eth0


ip rule:
Code:

0:      from all lookup local
32764:  from 81.181.157.0/24 lookup rds
32765:  from 86.55.164.0/24 lookup evolva
32766:  from all lookup main
32767:  from all lookup default


iptables -L:
Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


iptables -t nat -L:
Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


ip route show table evolva:
Code:

86.55.164.0/24 dev eth0  scope link  src 86.55.164.100
default via 86.55.164.1 dev eth0


ip route show table rds:
Code:

81.181.157.0/24 dev eth1  scope link  src 81.181.157.98
default via 81.181.157.1 dev eth1


Last edited by Dreadfull2007 on Mon May 19, 2008 11:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
nativemad
Guru
Guru


Joined: 30 Aug 2004
Posts: 502
Location: Switzerland
PostPosted: Fri May 16, 2008 2:58 pm    Post subject: Reply with quote
Hi

I have a bit different situation... two times the same isp and two lans...
as i remember, you don't need to have a third table besides the main one... You only have to tell the internal interface to lookup the desired table! :wink:

ip route:
Code:

192.168.0.0/24 dev eth0  scope link
192.168.10.0/24 dev eth3  scope link
212.X.X.0/22 dev eth2  scope link  src 212.X.X.155  metric 20
212.X.X.0/22 dev eth1  scope link  src 212.X.X.215  metric 30
default via 212.X.X.1 dev eth2
default via 212.X.X.1 dev eth2  metric 1
default via 212.X.X.1 dev eth1  metric 2

ip rule:
Code:

0:      from all lookup local
32760:  from all fwmark 0x2 lookup T4
32761:  from all fwmark 0x1 lookup T1
32762:  from 192.168.10.0/24 lookup T4        <-------------------
32763:  from 192.168.0.0/24 lookup T1         <-------------------
32764:  from 212.X.X.155 lookup T4
32765:  from 212.X.X.215 lookup T1
32766:  from all lookup main
32767:  from all lookup default

ip route show table T1 (T4 looks similar for me...):
Code:

192.168.0.0/24 dev eth0  scope link
192.168.10.0/24 dev eth3  scope link
212.X.X.0/22 dev eth1  scope link  src 212.X.X.215
127.0.0.0/8 dev lo  scope link
default via 212.X.X.1 dev eth1

Hope this helps a bit... I know its hard! :wink:
_________________
Power to the people!
Back to top
View user's profile Send private message
Dreadfull2007
n00b
n00b


Joined: 28 Feb 2007
Posts: 54
PostPosted: Fri May 16, 2008 11:29 pm    Post subject: Reply with quote
thanks, i'll try right now but what about iptables ? what are you using ? MASQUERADING or SNAT/DNAT ? what about the FORWARD rule (should it work if default policy is ACCEPT ?)

LE:

tryied with these settings:

ip rule:
Code:

0:      from all lookup local
32749:  from 86.55.164.100 lookup evolva
32750:  from 81.181.157.99 lookup rds
32751:  from 81.181.157.98 lookup rds
32752:  from 86.55.164.105 lookup evolva
32753:  from 86.55.164.104 lookup evolva
32754:  from 86.55.164.103 lookup evolva
32755:  from 86.55.164.102 lookup evolva
32756:  from 86.55.164.101 lookup evolva
32766:  from all lookup main
32767:  from all lookup default


ip route:
Code:

192.168.192.0/24 dev eth2  scope link
81.181.157.0/24 dev eth1  proto kernel  scope link  src 81.181.157.98
86.55.164.0/24 dev eth0  scope link  src 86.55.164.100
127.0.0.0/8 dev lo  scope link
default via 86.55.164.1 dev eth0


ip route show table evolva:
Code:

192.168.192.0/24 dev eth2  scope link
86.55.164.0/24 dev eth0  scope link  src 86.55.164.100
127.0.0.0/8 dev lo  scope link
default via 86.55.164.1 dev eth0


Code:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere


Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


same result: pinging works, but that's it, tracert from win shows me -> 192.168.192.1 -> 86.55.164.1 (isp gw) -> etc (works)

- without MASQUERADE pinging doesn't work either

i feel i'm close but .. still stuck :(
Back to top
View user's profile Send private message
nativemad
Guru
Guru


Joined: 30 Aug 2004
Posts: 502
Location: Switzerland
PostPosted: Sat May 17, 2008 12:33 am    Post subject: Reply with quote
I don't have any fixed ips... so its a bit different (at least the beginning...)! I use something like this for setting all up (i've cuted out some pieces... :wink: )

Code:

#!/bin/bash
IPETH0=(`ifconfig eth0 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)
IPETH1=(`ifconfig eth1 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)
IPETH2=(`ifconfig eth2 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)
IPETH3=(`ifconfig eth3 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)
IPNET0="192.168.0.0/24"
IPNET1="192.168.10.0/24"
IPRANET="212.X.X.0/22"
RAGATE="212.X.X.1"
IFINT0="eth0"
IFINT1="eth3"
IFEXT0="eth1"
IFEXT1="eth2"
PRIVATE="192.168.0.0/16"
LOOP=127.0.0.1

ip route flush table T1
ip route flush table T4
ip route flush table main

ip route add $IPNET0 dev $IFINT0
ip route add $IPRANET dev $IFEXT0 src $IPETH1 table T1
ip route add $IPRANET dev $IFEXT0 src $IPETH1 prio 30
ip route add default via $RAGATE dev $IFEXT0 table T1
ip rule add from $IPETH1 table T1
ip route add $IPNET0 dev $IFINT0 table T1
ip route add $IPNET1 dev $IFINT1 table T1
ip route add 127.0.0.0/8 dev lo table T1

ip route add $IPNET1 dev $IFINT1
ip route add $IPRANET dev $IFEXT1 src $IPETH2 table T4
ip route add $IPRANET dev $IFEXT1 src $IPETH2 prio 20
ip route add default via $RAGATE dev $IFEXT1 table T4
ip rule add from $IPETH2 table T4
ip route add $IPNET1 dev $IFINT1 table T4
ip route add $IPNET0 dev $IFINT0 table T4
ip route add 127.0.0.0/8 dev lo table T4

ip rule add from $IPNET0 table T1
ip rule add from $IPNET1 table T4
ip route add default via $RAGATE dev $IFEXT0 table main prio 20
ip route add default via $RAGATE dev $IFEXT1 table main prio 10

ip route add default via $RAGATE

iptables --flush
iptables -t nat --flush

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A PREROUTING -t mangle -i $IFINT0 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -i $IFINT1 -j MARK --set-mark 2
iptables -A PREROUTING -t mangle -i $IFEXT0 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -i $IFEXT1 -j MARK --set-mark 2
ip rule add from all fwmark 1 table T1
ip rule add from all fwmark 2 table T4

iptables -A INPUT -i $IFEXT0 -s $LOOP -j DROP
iptables -A FORWARD -i $IFEXT0 -s $LOOP -j DROP
iptables -A INPUT -i $IFEXT0 -d $LOOP -j DROP
iptables -A FORWARD -i $IFEXT0 -d $LOOP -j DROP
iptables -A INPUT -i $IFEXT1 -s $LOOP -j DROP
iptables -A FORWARD -i $IFEXT1 -s $LOOP -j DROP
iptables -A INPUT -i $IFEXT1 -d $LOOP -j DROP
iptables -A FORWARD -i $IFEXT1 -d $LOOP -j DROP

iptables -A FORWARD -i $IFEXT0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i $IFEXT0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i $IFEXT0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFEXT0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $IFEXT0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $IFEXT0 -s 10.0.0.0/8 -j DROP

iptables -A FORWARD -i $IFEXT1 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i $IFEXT1 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i $IFEXT1 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFEXT1 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i $IFEXT1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $IFEXT1 -s 10.0.0.0/8 -j DROP

iptables -A FORWARD -s ! 192.168.0.0/16 -i $IFINT0 -j DROP
iptables -A FORWARD -s ! 192.168.0.0/16 -i $IFINT1 -j DROP

iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -i $IFINT1 -j ACCEPT
iptables -A FORWARD -i $IFINT1 -j ACCEPT
iptables -A INPUT -i $IFINT0 -j ACCEPT
iptables -A FORWARD -i $IFINT0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o $IFEXT0 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -o $IFEXT1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o $IFEXT0 -j ACCEPT
iptables -A FORWARD -m state --state NEW -o $IFEXT1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s $IPNET0 -o $IFEXT0 -j SNAT --to $IPETH1
iptables -t nat -A POSTROUTING -s $IPNET1 -o $IFEXT1 -j SNAT --to $IPETH2

as you see, i use SNAT. :wink:
I still miss the ip route for your internal interface...
_________________
Power to the people!
Back to top
View user's profile Send private message
Dreadfull2007
n00b
n00b


Joined: 28 Feb 2007
Posts: 54
PostPosted: Sat May 17, 2008 1:21 am    Post subject: Reply with quote
erm ... ok ... modified that script so it suits my needs, tell me if i went wrong somewhere (i don't think :|)

Code:

#!/bin/bash
IPETH0=(`ifconfig eth0 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)
IPETH1=(`ifconfig eth1 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)
IPETH2=(`ifconfig eth2 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)
IPNET0="192.168.192.0/24"
IPRANET0="86.55.164.0/24"
IPRANET1="81.181.157.0/24"
RAGATE0="86.55.164.1"
RAGATE1="81.181.157.1"
IFINT0="eth2"
IFEXT0="eth0"
IFEXT1="eth1"
PRIVATE="192.168.192.0/24"
LOOP=127.0.0.1

ip route flush table evolva
ip route flush table rds
ip route flush table main

ip route add $IPNET0 dev $IFINT0
ip route add $IPRANET0 dev $IFEXT0 src $IPETH0 table evolva
ip route add $IPRANET0 dev $IFEXT0 src $IPETH0 prio 30
ip route add default via $RAGATE0 dev $IFEXT0 table evolva
ip rule add from $IPETH0 table evolva
ip route add $IPNET0 dev $IFINT0 table evolva
ip route add 127.0.0.0/8 dev lo table evolva

ip route add $IPRANET1 dev $IFEXT1 src $IPETH1 table rds
ip route add $IPRANET1 dev $IFEXT1 src $IPETH1 prio 20
ip route add default via $RAGATE1 dev $IFEXT1 table rds
ip rule add from $IPETH1 table rds
ip route add $IPNET0 dev $IFINT0 table rds
ip route add 127.0.0.0/8 dev lo table rds

ip rule add from $IPNET0 table evolva
ip route add default via $RAGATE0 dev $IFEXT0 table main prio 20
ip route add default via $RAGATE1 dev $IFEXT1 table main prio 10

ip route add default via $RAGATE0

iptables --flush
iptables -t nat --flush

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F

iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A PREROUTING -t mangle -i $IFINT0 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -i $IFEXT0 -j MARK --set-mark 1
iptables -A PREROUTING -t mangle -i $IFEXT1 -j MARK --set-mark 2
ip rule add from all fwmark 1 table evolva
ip rule add from all fwmark 2 table rds

iptables -A INPUT -i $IFEXT0 -s $LOOP -j DROP
iptables -A FORWARD -i $IFEXT0 -s $LOOP -j DROP
iptables -A INPUT -i $IFEXT0 -d $LOOP -j DROP
iptables -A FORWARD -i $IFEXT0 -d $LOOP -j DROP
iptables -A INPUT -i $IFEXT1 -s $LOOP -j DROP
iptables -A FORWARD -i $IFEXT1 -s $LOOP -j DROP
iptables -A INPUT -i $IFEXT1 -d $LOOP -j DROP
iptables -A FORWARD -i $IFEXT1 -d $LOOP -j DROP

iptables -A FORWARD -i $IFEXT0 -s 192.168.192.0/24 -j DROP
iptables -A FORWARD -i $IFEXT0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i $IFEXT0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFEXT0 -s 192.168.192.0/24 -j DROP
iptables -A INPUT -i $IFEXT0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $IFEXT0 -s 10.0.0.0/8 -j DROP

iptables -A FORWARD -i $IFEXT1 -s 192.168.192.0/24 -j DROP
iptables -A FORWARD -i $IFEXT1 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i $IFEXT1 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i $IFEXT1 -s 192.168.192.0/24 -j DROP
iptables -A INPUT -i $IFEXT1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i $IFEXT1 -s 10.0.0.0/8 -j DROP

iptables -A FORWARD -s ! 192.168.192.0/24 -i $IFINT0 -j DROP

iptables -A INPUT -s $LOOP -j ACCEPT
iptables -A INPUT -d $LOOP -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -i $IFINT0 -j ACCEPT
iptables -A FORWARD -i $IFINT0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o $IFEXT0 -j ACCEPT
iptables -A OUTPUT -m state --state NEW -o $IFEXT1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -o $IFEXT0 -j ACCEPT
iptables -A FORWARD -m state --state NEW -o $IFEXT1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s $IPNET0 -o $IFEXT0 -j SNAT --to $IPETH0


wich gave me:

ip route:
Code:

192.168.192.0/24 dev eth2  scope link
81.181.157.0/24 dev eth1  scope link  src 81.181.157.98  metric 20
86.55.164.0/24 dev eth0  scope link  src 86.55.164.100  metric 30
default via 86.55.164.1 dev eth0
default via 81.181.157.1 dev eth1  metric 10
default via 86.55.164.1 dev eth0  metric 20


ip route show table evolva:
Code:

192.168.192.0/24 dev eth2  scope link
86.55.164.0/24 dev eth0  scope link  src 86.55.164.100
127.0.0.0/8 dev lo  scope link
default via 86.55.164.1 dev eth0


ip route show table rds:
Code:

192.168.192.0/24 dev eth2  scope link
81.181.157.0/24 dev eth1  scope link  src 81.181.157.98
127.0.0.0/8 dev lo  scope link
default via 81.181.157.1 dev eth1


ip rule:
Code:

0:      from all lookup local
32761:  from all fwmark 0x2 lookup rds
32762:  from all fwmark 0x1 lookup evolva
32763:  from 192.168.192.0/24 lookup evolva
32764:  from 81.181.157.98 lookup rds
32765:  from 86.55.164.100 lookup evolva
32766:  from all lookup main
32767:  from all lookup default


iptables -L:
Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  localhost            anywhere
DROP       all  --  anywhere             localhost
DROP       all  --  localhost            anywhere
DROP       all  --  anywhere             localhost
DROP       all  --  192.168.192.0/24     anywhere
DROP       all  --  172.16.0.0/12        anywhere
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  --  192.168.192.0/24     anywhere
DROP       all  --  172.16.0.0/12        anywhere
DROP       all  --  10.0.0.0/8           anywhere
ACCEPT     all  --  localhost            anywhere
ACCEPT     all  --  anywhere             localhost
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination
DROP       all  --  localhost            anywhere
DROP       all  --  anywhere             localhost
DROP       all  --  localhost            anywhere
DROP       all  --  anywhere             localhost
DROP       all  --  192.168.192.0/24     anywhere
DROP       all  --  172.16.0.0/12        anywhere
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  --  192.168.192.0/24     anywhere
DROP       all  --  172.16.0.0/12        anywhere
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  -- !192.168.192.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state NEW
ACCEPT     all  --  anywhere             anywhere            state NEW

Chain ICMP (0 references)
target     prot opt source               destination

Chain TCP (0 references)
target     prot opt source               destination

Chain UDP (0 references)
target     prot opt source               destination


iptables -t nat -L:
Code:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  192.168.192.0/24     anywhere            to:86.55.164.100

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


if i "monitor" SNAT i see packets/bytes when pinging (seeing with iptables -t nat -nvL)
Code:

Chain PREROUTING (policy ACCEPT 617K packets, 74M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 5627 packets, 928K bytes)
 pkts bytes target     prot opt in     out     source               destination
   10   600 SNAT       all  --  *      eth0    192.168.192.0/24     0.0.0.0/0           to:86.55.164.100

same about FORWARD
Code:

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  eth0   *       127.0.0.1            0.0.0.0/0
    0     0 DROP       all  --  eth0   *       0.0.0.0/0            127.0.0.1
    0     0 DROP       all  --  eth1   *       127.0.0.1            0.0.0.0/0
    0     0 DROP       all  --  eth1   *       0.0.0.0/0            127.0.0.1
    0     0 DROP       all  --  eth0   *       192.168.192.0/24     0.0.0.0/0
    0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0
    0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0
    0     0 DROP       all  --  eth1   *       192.168.192.0/24     0.0.0.0/0
    0     0 DROP       all  --  eth1   *       172.16.0.0/12        0.0.0.0/0
    0     0 DROP       all  --  eth1   *       10.0.0.0/8           0.0.0.0/0
    0     0 DROP       all  --  eth2   *      !192.168.192.0/24     0.0.0.0/0
   56  4002 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           state NEW
   28  2554 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

(both count for pings/http requests .. so maybe *any* requests .. i really don't get it where's the problem)


Later edit: i think i got it ! i hope there's not a typo or something in the script .. because on ISP #2 it works !
i just moved 192.168.192.0/24 from "lookup evolva" to the other one and changed the SNAT rule and it works (everything) .. weird .. it's a route problem at me or ISP blocking ports (how could he?) cause on the server everything works (both ISPs)

thanks for your help !
Back to top
View user's profile Send private message
nativemad
Guru
Guru


Joined: 30 Aug 2004
Posts: 502
Location: Switzerland
PostPosted: Sat May 17, 2008 3:09 am    Post subject: Reply with quote
Thats really strange... i've seen once that an isp blocks incoming port 80 and outgoing 25 ... you have to use their proxy then...
But if it works in a "single basic setup" (server?) then this shouldn't be a problem...

As i have it quite easy (one lan, one isp, the other lan on the second isp) i havent much looked into the default route in the main table...
Maybe you need a second "ip route add default via $RAGATE0" line for $RAGATE1! Perhaps even with some weights! :?:
_________________
Power to the people!
Back to top
View user's profile Send private message
Dreadfull2007
n00b
n00b


Joined: 28 Feb 2007
Posts: 54
PostPosted: Sat May 17, 2008 10:07 am    Post subject: Reply with quote
ouch, you lost me there, why would i need weights ? i was trying to use ISP #1 only
also, why did you use metric and 3 routes ? like this:

Code:

default via 86.55.164.1 dev eth0
default via 81.181.157.1 dev eth1  metric 10
default via 86.55.164.1 dev eth0  metric 20


seems strange for me
for both i was using nexthop some time ago:
Code:

ip route add default scope global nexthop via 86.55.164.1 dev eth0 weight 1 \
nexthop via 81.181.157.1 dev eth1 weight 1
Back to top
View user's profile Send private message
nativemad
Guru
Guru


Joined: 30 Aug 2004
Posts: 502
Location: Switzerland
PostPosted: Mon May 19, 2008 6:25 am    Post subject: Reply with quote
The metrics aren't really necessary... they just make it easier to switch between the lines... (you can't have multiple gw's without metrics or weights afaik) :wink:
The nexthop is then a step further with auto-failover and things like that.

I just thought that the script uses one default gw for the main table... If you then want to use the other line, the maintable doesn't has a valid gw for that ISP... Therefore either enter the second one (with weights, or nexthop) or always switch it with the rest of the script (SNAT & ip rule).

But probably i'm just talking bullshit, as i'm also not a pro in it! :P
_________________
Power to the people!
Back to top
View user's profile Send private message
Dreadfull2007
n00b
n00b


Joined: 28 Feb 2007
Posts: 54
PostPosted: Mon May 19, 2008 11:08 pm    Post subject: Reply with quote
thanks very much for the help, topic solved :)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2006 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. Powered by phpBB 2.0.22-gentoo-p6 © 2001, 2002 phpBB Group