Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] NATed ports with 2 WAN scenario
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
oandarilho01
Tux's lil' helper
Tux's lil' helper


Joined: 17 Nov 2005
Posts: 132
Location: Rio de Janeiro/RJ - Brasil

PostPosted: Mon Sep 16, 2013 7:38 pm    Post subject: [SOLVED] NATed ports with 2 WAN scenario Reply with quote

Hi,

I'm trying to deploy the following scenario:

A gentoo router with 3 NICs (lan, wan1, wan2), with wan1 being the default route, and a bunch of port redirection to allow remote desktop (Windows RDP, 3389) connections coming though the Internet on wan2.

Theoretically, the traffic has to come in through wan2 AND come out through the same NIC, am I right? This is why we generally follows a LARTC-like tutorial, as I did.
Problem is that these port forwarding is not working.

I'm searching hard for relations, configurations, etc, between kernel config, iproute2 and NAT, but can't solve yet this problem. The routing treatment for the router is OK, I mean, I can ssh to the router box through both wans. I can also use fwmarks to route tcp/udp traffic generated by the lan hosts to specific routes/NICs.

I've tried to turn off rp_filter, turn on accept_redirects and accept_source_route but none of these helped.

Any tips would be appreciated.

Thanks in advance


Last edited by oandarilho01 on Wed Sep 18, 2013 3:31 pm; edited 1 time in total
Back to top
View user's profile Send private message
thegeezer
n00b
n00b


Joined: 11 Jul 2010
Posts: 38

PostPosted: Tue Sep 17, 2013 8:24 pm    Post subject: lartc.com Reply with quote

this is an overview, but ought to work.
lan0=local area network nic, same for wan0 and wan1 for your wan nics
192.168.1.0/24 = LAN
1.1.1.1/28 = wan1, gw at 1.1.1.9
2.2.2.2/28 = wan2, gw at 2.2.2.9
adjust as required

add the following lines to /etc/iproute2/rt_tables
101 internetA
102 internetB

then in /etc/conf.d/net you want the following

rules_wan0=(
"from 1.1.1.1 lookup 101"
)
rules_wan1=(
"from 2.2.2.2 lookup 102"
)

routes_lan0=(
"192.168.1.0/24 dev lan0 table 101"
"192.168.1.0/24 dev lan0 table 102"
)
routes_wan0=(
"1.1.1.0/28 dev wan0 table 101"
"default via 1.1.1.9"
)
routes_wan1=(
"2.2.2.0/28 dev wan1 table 102"
"default via 2.2.2.9"
)


at this point you can start doing experiments i.e. "ip rule add to 8.8.8.8 lookup 101" or lookup 102
then do an mtr and make sure the route changes

ok so far so good

now however you have a one or the other. if you have a DNAT inbound it will then reply according to the default rule or ip rule defined. which means if inbound intenretA it could be replying via internetB resulting in bad communications. however, you want to be able to reply from wherever the packet comes in from.
therefore you need to use iptables mangle tables to packet mark

# iptables -t mangle -N internetA
# iptables -t mangle -N internetB
# iptables -t mangle -N RESTORE
# iptables -t mangle -I PREROUTING -i wan0 -j internetA
# iptables -t mangle -I PREROUTING -i wan1 -j internetB
# iptables -t mangle -A RESTORE -j CONNMARK --restore-mark --nfmask 0xffffffff --ctmask 0xffffffff
# iptables -t mangle -A internetA -j MARK --set-xmark 0xa/0xffffffff
# iptables -t mangle -A internetA -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff
# iptables -t mangle -A internetB -j MARK --set-xmark 0xb/0xffffffff
# iptables -t mangle -A internetB -j CONNMARK --save-mark --nfmask 0xffffffff --ctmask 0xffffffff


finally... select the correct routing table based on the packet mark

# ip rule add from all fwmark 0xa lookup 101
# ip rule add from all fwmark 0xb lookup 102



RP_FILTER has been the bane of my troubleshooting, make sure it's disabled for all /proc/sys/net/ipv4/conf/*/rp_filter
Back to top
View user's profile Send private message
oandarilho01
Tux's lil' helper
Tux's lil' helper


Joined: 17 Nov 2005
Posts: 132
Location: Rio de Janeiro/RJ - Brasil

PostPosted: Wed Sep 18, 2013 3:30 pm    Post subject: Reply with quote

Thanks for your help, thegeezer.

Finally it seems I managed to put that scenario to work. In fact the preparation of the routes follows the principles you wrote, but your iptables rule set didn't worked out for me. Redirect specifc traffic based on port (e.g. HTTP) was OK, but port forwarding (access RDP on a lan host from outside, from Internet) don't. Although the request hit the host, when it replies, the router was still throwing the packets through the main gateway interface.

After diggin' a bit more on netfilter, I discovered the conntrack match (-m conntrack) which allowed me to use a criteria that hits the port forwarding reply packets. Then, the set of commands/rules became:

1) to mark the redirected traffic:
# iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 3

2) to mark the related port forwarding packets (it doesn't matter what port forwarding was made):
# iptables -t mangle -A PREROUTING -m conntrack --ctstate DNAT -j MARK --set-mark 3

OBS: yes, I choose to use the same mark, as I want to redirect to the same link

3) to treat the traffic:
# ip ru add fwmark 3 table internetA


Now, I cannot say whether the --ctstate rule is the optimal setup for this, nor can I foresee any problem it could cause to other connections. But happily it works now.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum