advanced routing q
Erez D
erez0001 at gmail.com
Sun Sep 9 10:40:51 IDT 2012
On Sun, Sep 9, 2012 at 10:28 AM, Erez D <erez0001 at gmail.com> wrote:
>
>
> On Thu, Sep 6, 2012 at 10:18 PM, shimi <linux-il at shimi.net> wrote:
>
>>
>>
>> On Wed, Sep 5, 2012 at 8:28 AM, Erez D <erez0001 at gmail.com> wrote:
>>
>>>
>>>
>>> On Mon, Aug 20, 2012 at 10:52 AM, shimi <linux-il at shimi.net> wrote:
>>>
>>>>
>>>> On Aug 20, 2012 9:34 AM, "Erez D" <erez0001 at gmail.com> wrote:
>>>> >
>>>> > hello
>>>> >
>>>> >
>>>> > i have a server with two eth ports, each connects to a different
>>>> router, and then to the internet.
>>>> > i want all normal trafic to the internet to go via router 1 (eth0),
>>>> so i added a default route to it
>>>> > i want connections TCP coming from all over the internet to the
>>>> second router(eth1), to be accepted.
>>>> >
>>>> > the problem is that altough connections are coming from eth1, due to
>>>> the default route, they are answered from eth0, which means a tcp
>>>> connection can not be established.
>>>> > i know that linux has a conntrack module, can i use it to tell the
>>>> kernel to answer on the same eth it got SYN from ?
>>>>
>>>> Are the two ports on the same netblock?
>>>>
>>> what do you mean by that ?
>>>
>>
>> I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is
>> 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're
>> both on the same network block.
>>
> of course they are not on the same network.
> not so smart to have two interfaces with same network - unless you do
> static routing, you depend on the order of the interfaces coming up ...
>
>> If so, can they be separated to two non overlapping blocks?
>>>>
>>> didn't get that
>>>
>>
>> So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other
>> would be 10.1.3.3 with netmask 255.255.255.0
>>
>>>
>>>
>>> i have many clients from many differnet ips connecting to my server. the
>>> server has two eth interfaces, with many ports open.
>>> there is no relation between eth and port, the same port can receive
>>> connections from either interface.
>>> i just want to route the relayed packets of the same connection to the
>>> eth the syn packet came from.
>>>
>>
>>
>> So, the solution I gave you in the original mail is supposed to work.
>>
>> I only forgot one word in the command I gave over mobile, so now I'll
>> give the full solution when it's easier to type.
>>
>> Variables (assumptions) :
>>
>> IP address currently going through DGW that shouldn't be: 1.2.3.4
>> Alternative gateway for 1.2.3.4: 1.2.3.254
>>
> 1.2.3.4 and 1.2.3.254 are on the same network.
> for youe example above, it would be 10.1.2.254 and 10.1.3.254
>
>> First, create an alternative routing table for traffic coming from the IP
>> that is not supposed to go to the default GW:
>>
>> # ip route add 0.0.0.0/0 via 1.2.3.254 table 200
>>
>> Then, ask Linux to use that routing table whenever the source of the
>> traffic is from 1.2.3.4:
>>
>> # ip rule add from 1.2.3.4 table 200
>>
>> although the packet will come from router 1.2.3.4 , the source ip on the
> packet are not 1.2.3.4, so this rule is uselsss (i also checked it and it
> didn't work)
> i tried also: ip rule add dev eth1 table 200 - didn't work either
> the syntax does not allow me to write 'ip rule add from dev eth1...' -
> i.e. can't add 'from'
> so i guess i need to tag the packes some way with a iptables rule, and
> then add an 'ip rule'
> or maybe somone knows of a better way.
>
> tried also:
iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 200 ; ip rule
add fwmark 200 table 200
didn't work as well ...
> thanks shimi.
> erez.
>
>
> 200 is an arbitrary number. You could use an alias for it to look nicer;
>> If you want that, you can alias a name to a number by editing
>> /etc/iproute2/rt_tables. There are examples there you can copy from. If you
>> have an alias for the number, you can use it in both the ip route and ip
>> rule commands, instead of the number.
>>
>> That's it, I believe.
>>
>> If it still doesn't work, you may be looking at the route cache. You can
>> wait some time, or issue an:
>>
>> # ip route flush cache
>>
>> If it still doesn't work (or commands fail...), be sure to have iproute2
>> utilities and support in the kernel.
>>
>> Good luck,
>>
>> -- Shimi
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20120909/d68dacc0/attachment.html>
More information about the Linux-il
mailing list