advanced routing q

advanced routing q

Erez D erez0001 at gmail.com
Sun Sep 9 10:28:00 IDT 2012 

On Thu, Sep 6, 2012 at 10:18 PM, shimi <linux-il at shimi.net> wrote:

>
>
> On Wed, Sep 5, 2012 at 8:28 AM, Erez D <erez0001 at gmail.com> wrote:
>
>>
>>
>> On Mon, Aug 20, 2012 at 10:52 AM, shimi <linux-il at shimi.net> wrote:
>>
>>>
>>> On Aug 20, 2012 9:34 AM, "Erez D" <erez0001 at gmail.com> wrote:
>>> >
>>> > hello
>>> >
>>> >
>>> > i have a server with two eth ports, each connects to a different
>>> router, and then to the internet.
>>> > i want all normal trafic to the internet to go via router 1 (eth0), so
>>> i added a default route to it
>>> > i want connections TCP coming from all over the internet to the second
>>> router(eth1), to be accepted.
>>> >
>>> > the problem is that altough connections are coming from eth1, due to
>>> the default route, they are answered from eth0, which means a tcp
>>> connection can not be established.
>>> > i know that linux has a conntrack module, can i use it to tell the
>>> kernel to answer on the same eth it got SYN from ?
>>>
>>> Are the two ports on the same netblock?
>>>
>> what do you mean by that ?
>>
>
> I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is
> 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're
> both on the same network block.
>
of course they are not on the same network.
not so smart to have two interfaces with same network - unless you do
static routing, you depend on the order of the interfaces coming up ...

>  If so, can they be separated to two non overlapping blocks?
>>>
>> didn't get that
>>
>
> So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other
> would be 10.1.3.3 with netmask 255.255.255.0
>
>>
>>
>> i have many clients from many differnet ips connecting to my server. the
>> server has two eth interfaces, with many ports open.
>> there is no relation between eth and port, the same port can receive
>> connections from either interface.
>> i just want to route the relayed packets of the same connection to the
>> eth the syn packet came from.
>>
>
>
> So, the solution I gave you in the original mail is supposed to work.
>
> I only forgot one word in the command I gave over mobile, so now I'll give
> the full solution when it's easier to type.
>
> Variables (assumptions) :
>
> IP address currently going through DGW that shouldn't be: 1.2.3.4
> Alternative gateway for 1.2.3.4:  1.2.3.254
>
1.2.3.4 and 1.2.3.254 are on the same network.
for youe example above, it  would be 10.1.2.254 and 10.1.3.254

> First, create an alternative routing table for traffic coming from the IP
> that is not supposed to go to the default GW:
>
> # ip route add 0.0.0.0/0 via 1.2.3.254 table 200
>
> Then, ask Linux to use that routing table whenever the source of the
> traffic is from 1.2.3.4:
>
> # ip rule add from 1.2.3.4 table 200
>
> although the packet will come from router 1.2.3.4 , the source ip on the
packet are not 1.2.3.4, so this rule is uselsss (i also checked it and it
didn't work)
i tried also: ip rule add dev eth1 table 200 - didn't work either
the syntax does not allow me to write 'ip rule add from dev eth1...' - i.e.
can't add 'from'
so i guess i need to tag the packes some way with a iptables rule, and then
add an 'ip rule'
or maybe somone knows of a better way.

thanks shimi.
erez.


200 is an arbitrary number. You could use an alias for it to look nicer; If
> you want that, you can alias a name to a number by editing
> /etc/iproute2/rt_tables. There are examples there you can copy from. If you
> have an alias for the number, you can use it in both the ip route and ip
> rule commands, instead of the number.
>
> That's it, I believe.
>
> If it still doesn't work, you may be looking at the route cache. You can
> wait some time, or issue an:
>
> # ip route flush cache
>
> If it still doesn't work (or commands fail...), be sure to have iproute2
> utilities and support in the kernel.
>
> Good luck,
>
> -- Shimi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20120909/54be580c/attachment-0001.html>

More information about the Linux-il mailing list