Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been struggling for a while on getting a dual WAN config to work for me...
Basically this script is an dhclient-exit-hooks script that will hook into the dhclient-script which then is ran by dhclient.
Anyway what it does, is it takes care of all of the routing table and iptable stuff required to have two DMZ, one off each wan IP address, anyway I'm going to present the script below in hopes that someone else out there would have some use for this script also.
Code:
#!/bin/sh
#
# This script takes care of setting up the rules and routing table for
# eth0 and eth1 which are our wan port
#
# Programs
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
# Enable ip_forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Script variables
wan0="eth0"
wan1="eth1"
# File for marking/demarking expiration/failure of interface
# so when its bound/rebound again it will by pass the new/old IP
# address checks
wan0_file="/var/run/wan0.expired"
wan1_file="/var/run/wan1.expired"
# Sets up the wan0 rules and routes
set_wan0 () {
$IP rule add from 172.20.0.5 lookup 100
for router in $new_routers; do
$IP route add default via $router dev $wan0 table 100
done
}
# Remove the wan0 rules and routes
unset_wan0 () {
$IP rule del from 172.20.0.5 lookup 100
$IP route flush table 100
}
# Sets up the wan1 rules and routes
set_wan1 () {
$IP rule add from 172.20.0.3 lookup 101
for router in $new_routers; do
$IP route add default via $router dev $wan1 table 101
done
}
# Remove the wan1 rules and routes
unset_wan1 () {
$IP rule del from 172.20.0.3 lookup 101
$IP route flush table 101
}
# Setup the IPTABLE rules for wan0
iptable_wan0 () {
$IPTABLES -t nat -A wan0_dnat -d $new_ip_address -j DNAT --to-destination 172.20.0.5
$IPTABLES -t nat -A wan0_snat -s 172.20.0.5 -j SNAT --to-source $new_ip_address
}
# Setup the IPTABLE rules for wan1
iptable_wan1 () {
$IPTABLES -t nat -A wan1_dnat -d $new_ip_address -j DNAT --to-destination 172.20.0.3
$IPTABLES -t nat -A wan1_snat -s 172.20.0.3 -j SNAT --to-source $new_ip_address
}
##################################################################################################
#
# Below this section shouldn't needs to be changed as long as the basic logic/stuff are the
# same in the above variables/functions
#
##################################################################################################
# Setup the indivual wan0 & wan1 chains and add it to the NAT tables
setup_NAT () {
$IPTABLES -t nat -N wan0_dnat
$IPTABLES -t nat -N wan0_snat
$IPTABLES -t nat -N wan1_dnat
$IPTABLES -t nat -N wan1_snat
$IPTABLES -t nat -A PREROUTING -j wan0_dnat
$IPTABLES -t nat -A POSTROUTING -j wan0_snat
$IPTABLES -t nat -A PREROUTING -j wan1_dnat
$IPTABLES -t nat -A POSTROUTING -j wan1_snat
}
# Flushes the NAT tables
flush_NAT () {
# First this function needs to make sure that the
# proper NAT chains actually exists, if not then
# create them and exit
echo `$IPTABLES -n -L -t nat` | grep -F -q "Chain wan1_snat"
if [[ $? -eq 0 ]]; then
# The NAT chain was found so find out which interface
# is being flushed then flush that chain
if [[ "$interface" == "$wan0" ]]; then
$IPTABLES -t nat -F wan0_dnat
$IPTABLES -t nat -F wan0_snat
elif [[ "$interface" == "$wan1" ]]; then
$IPTABLES -t nat -F wan1_dnat
$IPTABLES -t nat -F wan1_snat
fi
else
# The NAT chain was not found so create it
setup_NAT
fi
}
# Flushes the routing tables
flush_routing () {
# find out which interface to flush
if [[ "$interface" == "$wan0" ]]; then
unset_wan0
elif [[ "$interface" == "$wan1" ]]; then
unset_wan1
fi
$IP route flush cache
}
# Sets up the NAT tables
set_NAT () {
# Determite if the NAT tables needs to be flushed
# and updated, also determite if the interface was
# previously expired
if [[ "$old_ip_address" != "$new_ip_address" ||
-e $wan0_file || -e $wan1_file ]]; then
# The old and new ip address are not the same, update
# the NAT table, or the interface was expired/failed
flush_NAT
# Find out which interface to set
if [[ "$interface" == "$wan0" ]]; then
iptable_wan0
$IPTABLES -t nat -A wan0_dnat -j RETURN
$IPTABLES -t nat -A wan0_snat -j RETURN
# Remove the expired file
rm -f $wan0_file
elif [[ "$interface" == "$wan1" ]]; then
iptable_wan1
$IPTABLES -t nat -A wan1_dnat -j RETURN
$IPTABLES -t nat -A wan1_snat -j RETURN
# Remove the expired file
rm -f $wan1_file
fi
fi
#if [[ "$old_routers" != "$new_routers" ]]; then
#
# # The old and new routers does not match, so update the
# # nat TABLE
#fi
}
# Sets up the routing tables
set_routing () {
# Determite which interface needs the tables be set
if [[ "$interface" == "$wan0" ]]; then
set_wan0
elif [[ "$interface" == "$wan1" ]]; then
set_wan1
fi
$IP route flush cache
}
# This block determite which $reason code is passed to this script
case "$reason" in
# MEDIUM - Ignore, linux does not do medium (media)
"MEDIUM" )
exit 0
;;
# PREINIT - Initalizes interface for action
"PREINIT" )
# Touch the file for the expired interface
if [[ "$interface" == "$wan0" ]]; then
touch $wan0_file
elif [[ "$interface" == "$wan1" ]]; then
touch $wan1_file
fi
;;
# BOUND - Flushes and reset the routing tables, then find out
# If the ip address of the interface has changed and update
# the NAT table if needed
# RENEW - Same as BOUND
# REBIND - Same as BOUND
# REBOOT - Same as BOUND
"BOUND" | "RENEW" | "REBIND" | "REBOOT" )
set_NAT
flush_routing
set_routing
;;
# EXPIRE - No IP address on interface, flush NAT & Routing
# FAIL - Same as EXPIRE
"EXPIRE" | "FAIL" )
flush_NAT
flush_routing
# Touch the file for the expired interface
if [[ "$interface" == "$wan0" ]]; then
touch $wan0_file
elif [[ "$interface" == "$wan1" ]]; then
touch $wan1_file
fi
;;
# TIMEOUT - If the exit value is 0, the NAT & routing needs to be setup/fixed
# otherwise if the exit value is 1, we need to flush NAT & routing like EXPIRE/FAIL
"TIMEOUT" )
# Determite the exit value
if [[ "$exit_status" -eq "0" ]]; then
set_NAT
flush_routing
set_routing
else
flush_NAT
flush_routing
fi
;;
esac
Enjoy! And if anyone has any suggestion/improvement it would certainly be welcomed!
[edit1]: I just corrected an small oops with the script, sometime it won't setup the iptable upon bootup, and most of upon a bootup the exit script gets a preinit then bound/renew $reason so i fixed it to force the iptable to be updated when it gets an preinit $reason
Last edited by Antimatter; 08-04-2007 at 05:06 AM.
Basically this script makes a few assumption: You have dual WAN, Both of the WAN uses DHCP to get their IP address, the DHCP client is "dhclient"
Anyway how to use it, you copy the script and paste it into a file named "dhclient-exit-hooks" which is a file that dhclient-script will call everytime it finishes an step, aka PREINIT, BIND, EXPIRE, TIMEOUT, etc...
Anyway it depends on your distro on where you place the script at, for OpenBSD it would probably go into "/etc" then for gentoo, it would go into "/etc/dhcp" and it just depends.
This script takes care of removing and setting up the routing table and NAT rules for both WAN, and on how to config it below is an list of the various functions that may need to be changed to adapt it to your own needs...
set_wan0 - This route sets up the routing table for the wan0
unset_wan0 - This route removes/clear up the routing table for wan0
set_wan1 - This route sets up the routing table for wan1
unset_wan1 - This route removes/clear the routing table for wan0
iptable_wan0 - This route sets up the NAT for iptables for wan0
iptable_wan1 - This route sets up the NAT for iptables for wan0
Then the two parameters at the top of the scripts would be: wan0="eth0" & wan1="eth1", these are your wan0 and wan1 interface.
I hope this clears it up enough so its useful for someone
I am wanting to use this script, but lacking basics to begin with.
I have 2 ISP (1 ASDL Modem and other is a PPPoE) and wanting to make use of them on a load sharing and failover basis. To do this...
I am wanting to buy a Atom PC and have an additional NIC.
i am wanting to make this system as Dual WAN router. Additionally i have a 5 port switch and a wireless router to have this shared to the rest of the computers at home.
i do understand little bit of networking, but need some help...
The reason why i want to do this...
Load balancing
Failover (in case 1 ISP fails depend on the other)
and make this as the gateway for the rest of the computer for internet access
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.