LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-11-2008, 05:07 PM   #1
docawk
LQ Newbie
 
Registered: Dec 2008
Posts: 3

Rep: Reputation: 0
redirect routing on non-default interface


I have a linux running firewall/router machine, connecting LAN to the internet with two interfaces (no load balancing or other connections). One is a fast connection with dynamic IP (ADSL) which is the default route, the other is a static IP (T3) connection (used for mail sever and other services available from www).
Additional I want to provide our intranet (located in the LAN) access to workes outside the office, using a port on the static firewall IP, which will be redirected (dnat) by iptables prerouting rule and allowed forwarding to LAN intranet sever port.
The scenario is woking when the T3 connection is default gateway in the main routing table. It is not working when I switch the default gateway to the ADSL connection.
The incoming packets are trackable with tcpdump and dnat redirect in the prerouting table is working (notification in syslog by iptables). Missing are the packets on the interface to LAN and the forwarding notification by iptables is also missing. So I think this is a routing problem.

I hope someone can help, or getting me clues what to check.

Thank you,

Oliver




Here is some information on the network topology and snips from the routing/firewall script:

Code:
                                  /-------------------\
                                  |       DMZ         |
                                  |  static IP        |
                                  \-------------------/
                                         |
                                       2 |
                                  /--------------------------------\
                    StaticIP      | Static IP                      |
                  /----------\  1 |                                | 0  /-----------------\
                  |    T3    | -- |       Firewall/Router          | -- |   LAN           |
                / \----------/    |                                |    |                 |
               /                  |                                |    \-----------------/
/-------\     /                   \--------------------------------/ 
|  WWW  | ---<                           |                           
\-------/     \                        3 |                           
               \                         |                           
                \ /----------\           |         
                  |   ADSL   | ---------/                 
                  \----------/                    
                    DynamicIP                              
                                                                     
                                                                     


function SetIPROUTEmain () {
   
    ExitStatus=0
    echo -en " - Setting Routing table main " >>$MessageDev
    $IP route add $LAN_IP_RANGE dev $LAN_IFACE src $LAN_IP
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $ADSL_IP_RANGE dev $ADSL_IFACE src $ADSL_IP
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $DMZ_IP_RANGE dev $DMZ_IFACE src $DMZ_IP
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $T3_GATEWAY dev $T3_IFACE src $T3_IP
    ExitStatus=$(($ExitStatus+$?))

    $IP route add default via $ADSL_GATEWAY dev $ADSL_IFACE
    ExitStatus=$(($ExitStatus+$?))

    $IP route flush cache
    ExitStatus=$(($ExitStatus+$?))
    PRINT_EXIT_STATUS $ExitStatus
    echo >>$MessageDev
}
function SetIPROUTEadsl () {
   
    ExitStatus=0
    echo -en " - Setting Routing table ADSL " >>$MessageDev

    $IP route add $ADSL_IP_RANGE dev $ADSL_IFACE src $ADSL_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $T3_GATEWAY dev $T3_IFACE src $T3_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $DMZ_IP_RANGE dev $DMZ_IFACE src $DMZ_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $LAN_IP_RANGE dev $LAN_IFACE src $LAN_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $LO_IP_RANGE dev $LO_IFACE src $LO_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add default via $ADSL_GATEWAY dev $ADSL_IFACE table ADSL
    ExitStatus=$(($ExitStatus+$?))

    $IP rule add from $ADSL_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))

    $IP route flush cache
    ExitStatus=$(($ExitStatus+$?))
    PRINT_EXIT_STATUS $ExitStatus
    echo >>$MessageDev
   
}   
function SetIPROUTEt3 () {
   
    ExitStatus=0
    echo -en " - Setting Routing table T3 " >>$MessageDev

    $IP route add $ADSL_IP_RANGE dev $ADSL_IFACE src $ADSL_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $T3_GATEWAY dev $T3_IFACE src $T3_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $DMZ_IP_RANGE dev $DMZ_IFACE src $DMZ_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $LAN_IP_RANGE dev $LAN_IFACE src $LAN_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $LO_IP_RANGE dev $LO_IFACE src $LO_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add default via $T3_GATEWAY dev $T3_IFACE table T3
    ExitStatus=$(($ExitStatus+$?))

    $IP rule add from $T3_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP rule add from $DMZ_IP_RANGE table T3
    ExitStatus=$(($ExitStatus+$?))
 
    $IP route flush cache
    ExitStatus=$(($ExitStatus+$?))
    PRINT_EXIT_STATUS $ExitStatus
    echo >>$MessageDev
   
}   



function IPT_Intranet () {

    #-------------------------------------------------------------------------------
    # Pierce Port 20080 to Intranet WWW
    if [ "$Enable_INTRANET" = "y" ] ; then
   
        ExitStatus=0
        echo -ne " - Establish INTRANET rules " >>$MessageDev

        $IPTABLES -t nat -A PREROUTING -p TCP -i $T3_IFACE --dport 20080 -j LOG --log-prefix "DNAT 20080:"
        ExitStatus=$(($ExitStatus+$?))
        $IPTABLES -t nat -A PREROUTING -p TCP -i $T3_IFACE -d $DMZ2_IP --dport 20080 -j DNAT --to-destination $WWW_SERVER_IP:81
        ExitStatus=$(($ExitStatus+$?))
   
        $IPTABLES -A FORWARD -p TCP  -d $WWW_SERVER_IP -j LOG --log-level DEBUG --log-prefix "IPT FORWARD INTRANET:"
        ExitStatus=$(($ExitStatus+$?))
        $IPTABLES -A FORWARD -p TCP -i $T3_IFACE -d $WWW_SERVER_IP -o $LAN_IFACE --dport 81 -j ACCEPT
        ExitStatus=$(($ExitStatus+$?))

        PRINT_EXIT_STATUS $ExitStatus
        echo >>$MessageDev
   
    fi

}
 
Old 12-14-2008, 06:52 PM   #2
Tinker06
LQ Newbie
 
Registered: Apr 2006
Location: Poulsbo, WA
Distribution: Debian
Posts: 5

Rep: Reputation: 1
Sounds messy, but a little familiar. Without digging into the details at this point, let me just tell you what my problem (and solution) was.

Two (2) connections to the Internet was causing a problem because there can only be one "default route". In order for your firewall to correctly route all traffic from 2 outside sources, it would need to track (as in build a table) of all connections from the Internet and which interface they arrived on, so it would know which interface to return the traffic to. I looked for that capability for a long, long time before giving up and implementing a simpler solution.

I placed another 2-interface machine between my firewall and one of the Internet connections. A fairly simple iptables setup on that machine rewrote all packets coming from the Internet as if coming from its own inside interface/IP. This made return traffic routing easy for the firewall. The only disadvantage was in tracking traffic by outside IP address - half of that information had to be tracked on the 2-interface box since the firewall now saw everything from that Internet connection as coming from the 2-interface box.

Hastily admitting ignorance to the details of your specific problems, I have a gut feeling this could help.

Cheers
 
Old 12-26-2008, 04:52 PM   #3
alexhwest
Member
 
Registered: Dec 2008
Location: Cleveland, OH
Distribution: Ubuntu
Posts: 30

Rep: Reputation: 15
Yes, the issue is that you are trying to route packets back out to the internet via the default route, which is either one or the other interface at any given time. Since the packets might have come in on either interface, you can't just send them out by default route. They have to go out the same way they came in. You might want to look into policy routing of some kind. In other words, you use something (like the interface in your instance) as a policy that creates a table of routes. So you could still have a default route, but the routing would also know that things coming in from say eth1 should go out eth1.

http://www.policyrouting.org/iproute2.doc.html#ss9.6
 
  


Reply

Tags
dnat, firewall, routing


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
why lo interface is not in routing table? montyleesam Linux - Networking 1 06-10-2008 01:06 AM
redirect the default main website cccc Linux - Networking 1 08-11-2006 11:52 AM
Apache default page redirect Harry Seldon Linux - Enterprise 7 05-12-2006 08:50 AM
Routing on a single Interface bernard7 Linux - Networking 2 05-01-2006 04:06 PM
How do I get iptables to redirect my default gateway address? Paul Woodhouse Linux - Networking 3 11-11-2003 08:52 AM


All times are GMT -5. The time now is 03:15 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration