<div dir="ltr"><br><br><div class="gmail_quote">On Sun, Sep 9, 2012 at 10:28 AM, Erez D <span dir="ltr"><<a href="mailto:erez0001@gmail.com" target="_blank">erez0001@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br><br><div class="gmail_quote"><div class="im">On Thu, Sep 6, 2012 at 10:18 PM, shimi <span dir="ltr"><<a href="mailto:linux-il@shimi.net" target="_blank">linux-il@shimi.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br><br><div class="gmail_quote"><div>On Wed, Sep 5, 2012 at 8:28 AM, Erez D <span dir="ltr"><<a href="mailto:erez0001@gmail.com" target="_blank">erez0001@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br><br><div class="gmail_quote"><div>On Mon, Aug 20, 2012 at 10:52 AM, shimi <span dir="ltr"><<a href="mailto:linux-il@shimi.net" target="_blank">linux-il@shimi.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div><p><br>
On Aug 20, 2012 9:34 AM, "Erez D" <<a href="mailto:erez0001@gmail.com" target="_blank">erez0001@gmail.com</a>> wrote:<br>
><br>
> hello<br>
><br>
><br>
> i have a server with two eth ports, each connects to a different router, and then to the internet.<br>
> i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it<br>
> i want connections TCP coming from all over the internet to the second router(eth1), to be accepted.<br>
><br>
> the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established.<br>
> i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ?</p>
</div></div><p>Are the two ports on the same netblock?</p></blockquote></div><div>what do you mean by that ? <br></div></div></div></blockquote></div><div><br>I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're both on the same network block. <br>
</div></div></div></blockquote></div><div>of course they are not on the same network.<br>not so smart to have two interfaces with same network - unless you do static routing, you depend on the order of the interfaces coming up ...<br>
</div><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div>
</div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div></div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p> If so, can they be separated to two non overlapping blocks? <br>
</p></blockquote></div><div>didn't get that<br></div></div></div></blockquote></div><div><br>So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other would be 10.1.3.3 with netmask 255.255.255.0<br></div>
<div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_quote"><div><br><br>i have many clients from many differnet ips connecting to my server. the server has two eth interfaces, with many ports open. <br>there is no relation between eth and port, the same port can receive connections from either interface.<br>
i just want to route the relayed packets of the same connection to the eth the syn packet came from.<br></div></div></div></blockquote></div><div><br><br>So, the solution I gave you in the original mail is supposed to work.<br>
<br>I only forgot one word in the command I gave over mobile, so now I'll give the full solution when it's easier to type.<br><br>Variables (assumptions) :<br><br>IP address currently going through DGW that shouldn't be: 1.2.3.4<br>
Alternative gateway for <a href="http://1.2.3.4" target="_blank">1.2.3.4</a>: 1.2.3.254</div></div></div></blockquote></div><div>1.2.3.4 and 1.2.3.254 are on the same network.<br>for youe example above, it would be 10.1.2.254 and 10.1.3.254 <br>
</div><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div>First, create an alternative routing table for traffic coming from the IP that is not supposed to go to the default GW:<br>
<br># ip route add <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> via 1.2.3.254 table 200<br>
<br>Then, ask Linux to use that routing table whenever the source of the traffic is from <a href="http://1.2.3.4" target="_blank">1.2.3.4</a>:<br><br># ip rule add from 1.2.3.4 table 200<br><br></div></div></div></blockquote>
</div></div></div></blockquote><div>ok, shimi - you were correct, i conused the ip adress and the gw adress.<br>it works now<br><br>Thanks,<br>Erez, <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_quote"><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div></div></div></div>
</blockquote>
</div><div>although the packet will come from router 1.2.3.4 , the source ip on the packet are not 1.2.3.4, so this rule is uselsss (i also checked it and it didn't work)<br>i tried also: ip rule add dev eth1 table 200 - didn't work either<br>
the syntax does not allow me to write 'ip rule add from dev eth1...' - i.e. can't add 'from'<br>so i guess i need to tag the packes some way with a iptables rule, and then add an 'ip rule'<br>
or maybe somone knows of a better way.<br>
<br>thanks shimi.<span class="HOEnZb"><font color="#888888"><br>erez.<br><br><br></font></span></div><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">
<div class="gmail_quote"><div>200 is an arbitrary number. You could use an alias for it to look nicer; If you want that, you can alias a name to a number by editing /etc/iproute2/rt_tables. There are examples there you can copy from. If you have an alias for the number, you can use it in both the ip route and ip rule commands, instead of the number.<br>
<br></div></div>That's it, I believe.<br><br>If it still doesn't work, you may be looking at the route cache. You can wait some time, or issue an:<br><br># ip route flush cache<br><br>If it still doesn't work (or commands fail...), be sure to have iproute2 utilities and support in the kernel.<br>
<br>Good luck,<br><br>-- Shimi<br></div>
</blockquote></div></div><br></div>
</blockquote></div><br></div>