LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   iptables/route multiple outgoing interfaces choosen on IP range (http://www.linuxquestions.org/questions/linux-networking-3/iptables-route-multiple-outgoing-interfaces-choosen-on-ip-range-4175423917/)

krustyboy 08-25-2012 03:59 AM

iptables/route multiple outgoing interfaces choosen on IP range
 
Hi,

This is my situation.
I have a PC used as a router. I have 3 interfaces on that one:
- eth0: my local network
- eth1: internet connection 1
- eth2: internet connection 2

With dnsmasq I'm using IP range 192.168.1.1-192.168.1.255 as dynamic IP's and I'm using IP range 192.168.2.1-192.168.2.255 for my fixed IP's.
I want that all IP's of range 192.168.1.0 are using eth1 and all IP's of range 192.168.2.0 to use eth2 as internet connection.

I tryed with iptables but I only succeeded with all IP's on one interface (using masquerade).

By this I'm asking your help because I'm stuck...
Thanks!

KinnowGrower 08-25-2012 07:57 AM

Want to clarify more.

1. You want 192.168.1.0 network to go out using eth1
2. You want 192.168.2.0 network to go out using eth2

You tried IPtables MASQUUERADE and it is going only through eth1

Is all mentioned above is correct? if yes, then

Did you put a policy route to route traffic from 192.168.2.0 network should use eth2 as outgoing interface?

krustyboy 08-25-2012 08:10 AM

Yes this is correct.
But I have no idea what interface it is using to go out...
So as I may have understand in your reply, I should use route to choose between the interfaces?

krustyboy 08-25-2012 08:43 AM

Some extra information (I'm using VirtualBx to test the architecture).
When using 2 devices in total (1 internal 1 external) it works fine. When connection an other device (1 internal 2 externals) Nothing is working anymore. ping google.com doesn't even work on my nas/router PC.

KinnowGrower 08-25-2012 08:44 AM

You have to tell the router
if packet is coming from 192.168.1.0 network, it should go out via interface eth1
but
if packet is coming from 192.168.2.0 network, it should go out via interface eth2

This can be achieved using

Policy Routing

krustyboy 09-01-2012 07:28 AM

Thanks!
I looked around and found out that with iptables it is possible to do something like:
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth2 -j MASQUERADE

Everything is working fine now for ip range 192.168.1.0 but for my ip range 192.168.2.0 it is not working...
Is there something else I'm forgetting to configure on the server?

KinnowGrower 09-01-2012 11:08 AM

Can you show/display IP tables rules for all Chains please?

KinnowGrower 09-01-2012 12:12 PM

Make sure the firewall has the rule
Code:

iptables -A FORWARD -i eth2 -j ACCEPT

krustyboy 01-17-2013 03:36 AM

Sorry for that (really really late response).
I finally found some time to try this config again.

I looked further on the internet but it is still not working.

I executed the following
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.2.0.0/16 -o eth2 -j MASQUERADE
iptables -A FORWARD -i eth2 -j ACCEPT
(I changed my home network config in the meanwhile as you can see, no 192.168.0.0 but 10.0.0.0 now)
This is not working for 10.1.0.0 BUT is working for 10.2.0.0

So I tried with the following
iptables -t nat -A POSTROUTING -s 10.1.0.0/16 -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.2.0.0/16 -o eth2 -j MASQUERADE
iptables -A FORWARD -i eth2 -j ACCEPT
And here again, it is working for 10.2.0.0 but not for 10.1.0.0

Here is my root table
root@routsrv01:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.0 * 255.255.0.0 U 0 0 0 eth1
172.16.0.0 * 255.255.0.0 U 0 0 0 eth2
10.0.0.0 * 255.0.0.0 U 0 0 0 eth0
default 172.16.1.50 0.0.0.0 UG 0 0 0 eth2
default 172.16.1.50 0.0.0.0 UG 0 0 0 eth1
default routsrv01 0.0.0.0 UG 0 0 0 eth0

krustyboy 01-17-2013 04:00 AM

I rebooted and now it is the other way around...
10.1.0.0 is working and 10.2.0.0 is not...

Route:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.0 * 255.255.0.0 U 0 0 0 eth2
172.16.0.0 * 255.255.0.0 U 0 0 0 eth1
10.0.0.0 * 255.0.0.0 U 0 0 0 eth0
default 172.16.1.50 0.0.0.0 UG 0 0 0 eth1
default 172.16.1.50 0.0.0.0 UG 0 0 0 eth2
default routsrv01 0.0.0.0 UG 0 0 0 eth0

But, I can ssh on both interfaces (on both External IP's I receive)
Can it be because both WAN interface are using the same IP range?

krustyboy 01-17-2013 07:00 AM

Updated my configuration (so all interfaces are on a different IP range)

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth2 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -i eth2 -j ACCEPT

root@routsrv01:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.4.0 * 255.255.255.0 U 0 0 0 eth2
172.16.0.0 * 255.255.0.0 U 0 0 0 eth1
192.168.0.0 * 255.255.0.0 U 0 0 0 eth0
default 172.16.1.50 0.0.0.0 UG 0 0 0 eth1
default 10.0.4.2 0.0.0.0 UG 0 0 0 eth2
default routsrv01 0.0.0.0 UG 0 0 0 eth0

Still only one (arbitrary) interface is working

KinnowGrower 01-18-2013 07:40 PM

Quote:

Originally Posted by KinnowGrower (Post 4763907)
if packet is coming from 192.168.1.0 network, it should go out via interface eth1

if packet is coming from 192.168.2.0 network, it should go out via interface eth2

This can be achieved using

Policy Routing

As far as i know it can be achieved only using policy routing

krustyboy 01-26-2013 11:39 AM

It is finally working!
I followed this page http://www.linuxhorizon.ro/iproute2.html.

Thanks for your help!

KinnowGrower 01-31-2013 08:48 PM

Nice to hear that, it is working. They call it policy routing :)


All times are GMT -5. The time now is 03:12 PM.