LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-09-2013, 06:19 PM   #1
ml77
LQ Newbie
 
Registered: Jun 2013
Posts: 4

Rep: Reputation: Disabled
Problem with multiple ISP on linux


Hello

I have a firewall on CentOS 5 connected to two Internet provider routers ISP1 and ISP2.
All traffic to and from the firewall itself works fine (ex VPN, DNS). My problem concerns trafic which
transit through the firewall. For instance, I have on my local network SMTP and Web servers.
The connections from ISP1 to these serves work fine. But connections from ISP2 doesn't
work because response are returned to ISP1.

Topology is the following

Firewall:
eth0 (192.168.0.1) connected to ISP1's router (192.168.0.200)
eth2 (192.168.2.1) connected to ISP2's router (192.168.2.200)
The interface eth1 of the firewall is connected to my LAN netwotk 192.168.1.0/24 with address 192.168.1.1.

I use iproute2 with the following instructions (following Google sites informations):
rt_tables:
Code:
1  isp1
2  isp2
routes ans rules:

Code:
ip route add 192.168.0.0/24 dev eth0 src 192.168.0.1 table isp1
ip route add default via 192.168.0.200 table provider1

ip route add 192.168.2.0/24 dev eth2 src 192.168.2.1 table isp2
ip route add default via 192.168.2.200 table provider2

ip route add 192.168.1.0/24 dev eth1 table isp1
ip route add 192.168.1.0/24 dev eth1 table isp2

ip rule add from 192.168.0.1 table isp1
ip rule add from 192.168.2.1 table isp2

ip route add default scope global nexthop via 192.168.0.200 dev eth0 weight 20 nexthop via 192.168.2.200 dev eth2 weight 1
Incoming trafic is forwarded with iptables (here HTTP trafic but it's simalar form SMTP trafic):
Code:
iptables --table nat --append PREROUTING -p tcp -i eth0 -o eth1 --destination-port 80 --to-destination 192.168.1.30:80 -j DNAT 
iptables --table filter --append FORWARD -p tcp -i eth0 -o eth1 --destination 192.168.1.30 --dport 80 -j ALLOWED
iptables --table nat --append PREROUTING -p tcp -i eth2 -o eth1 --destination-port 80 --to-destination 192.168.1.30:80 -j DNAT 
iptables --table filter --append FORWARD -p tcp -i eth2 -o eth1 --destination 192.168.1.30 --dport 80 -j ALLOWED
What is missing or wrong?
Many thanks
 
Old 06-10-2013, 07:54 AM   #2
Sigg3.net
Member
 
Registered: Mar 2008
Location: Oslo, Norway
Distribution: Slackware 14.1 64-bit, Ubuntu 15.10, Fedora 17, Ubuntu 12 LTS and Ubuntu server 10.04
Posts: 173

Rep: Reputation: 28
From what you're saying the problem seems to be the return trip via eth1.
Do you need to send outgoing traffic through eth1 or could it return on the same iface it came in on?
 
Old 06-10-2013, 08:09 AM   #3
ml77
LQ Newbie
 
Registered: Jun 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
eth1 is the only interface for LAN. Thus servers on the LAN initiates connections and receive inbound connections from eth1.
 
Old 06-18-2013, 02:46 PM   #4
ml77
LQ Newbie
 
Registered: Jun 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Really nobody can help me?
 
Old 06-23-2013, 07:24 AM   #5
MikeDeltaBrown
Member
 
Registered: Apr 2013
Location: Arlington, WA
Distribution: Slackware
Posts: 96

Rep: Reputation: 10
Re. the 2 iptables commands; I'm not familiar with the ALLOWED target. Should that be ACCEPT?

I also don't know how the router knows which interface to send the return packet out on; eth0 or eth2. I think connection tracking can do this, but it will take some research. You would need an IPTABLES rule that said, in effect, "if the previous packet came in on eth0, then send this packet out on eth0 and SNAT it to the address of eth0". Check out the iptables man page, with special attention to the conntrack module.

Maybe something like:
iptables -t NAT -A POSTROUTING -m conntrack --ctorigdst 192.168.0.200 -j SNAT --to 192.168.0.200

iptables -t NAT -A POSTROUTING -m conntrack --ctorigdst 192.168.2.200 -j SNAT --to 192.168.2.200

Personally, I'd check this in a lab environment before I tried it live.... I don't know if more matches are required to uniquely identify the connection and I don't have sufficient references available with me to even know if the syntax is all wrong, among a whole host of other possible errors.

I would also be looking at initial connections from the internal server, vis-a-vis, which interface should be used if 192.168.1.30 initiates an SMTP connection to an outside e-mail server. Your domain's DNS entries would have to be referenced to know how to SNAT those.

At least you've got something to try. Good luck!
 
1 members found this post helpful.
Old 06-23-2013, 11:50 AM   #6
ml77
LQ Newbie
 
Registered: Jun 2013
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thank you very much. I'll try it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple ISP sanjibgupta Linux - Networking 6 07-03-2011 02:41 PM
Multiple connections, only one ISP Guilherme Linux - Networking 1 09-23-2009 08:01 PM
Multiple ISP / maas187 Linux - Networking 4 02-18-2009 07:02 PM
managing multiple isp yenonn Linux - Networking 1 11-01-2005 06:07 AM
Multiple ISP's fredmon Linux - Networking 2 05-16-2005 04:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:01 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration