|
failed to setup FW with two ISP connection
Hi All,
I appreciate any advice on my following problem.
I setup a Linux box running Ubuntu 5.1(Kernel 2.6) with 3 NIC:
eth0 is 10.134.1.1 for internal network.
eth1 is 209.88.99.11 for ISP 1 via cable modem,
eth2 is 208.77.77.22 for ISP 2 via wireless modem.
This box will be both router for internal employee and FW for ordinary employee as well as FW for a WWW server.
I'd accomplished following taks seperatly:
1. setup iptable rules successfully to enable DNAT/SNAT so that external visit to the WWW server is fine.
2. setup route balancing with Julian's patch so we can virtually merge the two ISP connection as one. Tested and works fine.
Now the problem is, when I want to integrate the above two tasks, it failed. From external computer, I can't access the DMZ WWW server anymore. When I use tcpdump to monitor the ISP interface, there is only package come in like:
22:38:41.582040 IP 208.13.87.119.42929 > 65-115-71-34.www: S 2305269667:2305269667(0) win 5840 <mss 1460>
No other packets I'd seen in a working situation with those ack packets. I doubt it's something wrong with the routing table but can't find a solution. My iptable rules are like:
#10.134.1.200 is the DMZ WWW server.
#for ISP1
iptables -A PREROUTING -t nat -i eth1 -d 97.158.253.26 \ --dport 80 --sport 1024:65535 -j DNAT --to-destination 192.168.1.100
iptables -t nat -A POSTROUTING -s 192.168.1.100 -o eth1 \
-j SNAT --to-source 97.158.253.26
iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.100 \ --dport 80 -m state --state NEW -j ACCEPT
# Allow forwarding for all New and Established SNAT connections
# originating on the home network AND already established
# DNAT connections
iptables -A FORWARD -t filter -o eth1 -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# Allow forwarding for all 1:1 NAT connections originating on the Internet that have already passed through the NEW forwarding statements above
iptables -A FORWARD -t filter -i eth0 -m state \
--state ESTABLISHED,RELATED -j ACCEPT
The above rules work as expected to allow external user visit our WWW server when I use anyone of the two ISP. When use just one ISP, I add routing table by:
ip route add 0/0 via 209.99.88.1 dev eth1
or
ip route add 0/0 via 208.77.55.1 dev eth2
When I plan to use the same routing setting that enable internal user surfing with combined bandwidth from two ISP, external user can NOT access WWW server anymore. Any idea?
I doubt routing table issue causes it but can't find a solution or maybe due to other things such as iptable rules. I use following ip route command to setup bandwidth aggregation:
ip rule add pref 10 from <IP for ISP1> table 10
ip route replace default via <GW for ISP1> dev eth1 table 10
ip rule add pref 20 from <IP for ISP2> table 20
ip route replace default via <GW for ISP2> dev eth2 table 20
ip route add 209.99.88.0 dev eth1 src 209.99.88.11
ip route add 208.77.55.0 dev eth2 src 208.77.55.12
ip route replace default nexthop via 209.99.88.11 dev eth1 weight 1 nexthop via 208.77.55.12 dev eth2 weight 1
ip route flush cache
Above command works fine if just for internal user to surf online but with iptable rules, external user no long be able to access the WWW server. Now even if I delete all those ip route rules and just use default GW for ISP1:
ip route add 0/0 via 209.88.99.1
It doesn't work anymore. Why
Is this 2=>1 NAT possible?
Thanks for any suggestion,
Lee
|
