Hello,
Kradorex Xeron a écrit :
>
> Here's my physical configuration (Best viewed in monospace font):
>
> <CONNECTION 1>---[ISP 1]
> |
> [NAT]
> |
> <SERVER>-------[SWITCH] (note: Both NAT routers are on the same subnet)
> |
> [NAT]
> |
> <CONNECTION 2>---[ISP 2]
>
> The server is only able to route out one connection or the other at the
> moment. Basically what I want is for the server to be able to route out the
> connection it came in on.
The server needs to use advanced routing. The general idea is to create
an alternate routing table for outgoing packets which must be routed
through the non-default router.
I can suggest three approaches. The first one is to add an alternate IP
address to the server in the same subnet, configure the non default
router to forward incoming connections to the alternate IP address, and
create a routing rule on the server saying to use the alternate routing
table to route outgoing packets with the alternate source address.
Guidelines :
# add alternate address to the LAN interface
ip addr add <alternate_address> dev <interface>
# add route to the LAN hosts in the alternate routing table
ip route add <local_net>/<mask|length> dev <interface> table 100
# add default route in the alternate routing table
ip route add default via <non_default_router_address> table 100
# create a routing rule based on source address
ip rule add from <alternate_address> lookup 100
The second approach is to mark the incoming connections forwarded by the
non-default router with iptables and create a routing rule saying to use
the alternate routing table to route outgoing packets with the mark. A
difficulty is to detect that a connection was forwarded by the
non-default router. Its IP address does not appear in the forwarded
packets so it cannot be used. Its MAC address can be used instead. IP
header fields such as TOS may be used too.
Guidelines :
# add default route in the alternate routing table
ip route add default via <non_default_router_address> table 100
# create a routing rule based on iptables mark
ip rule add fwmark 0x1 lookup 100
# add mark to connections from the non-default router MAC address
iptables -t mangle -A PREROUTING -m state --state NEW,RELATED \
-m mac --mac-source <non_default_router_mac> -j CONNMARK --set-mark 0x1
# copy the connection mark into outgoing packets
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
The third approach is to mark outgoing packets with source ports
corresponding to the hosted services, and create a routing rule saying
to use the alternate routing table to route outgoing packets with the
mark. Note that this approach may not be applicable in all cases.
Guidelines :
# add route to the LAN hosts in the alternate routing table
ip route add <local_net>/<mask|length> dev <interface> table 100
# add default route in the alternate routing table
ip route add default via <non_default_router_address> table 100
# create a routing rule based on iptables mark
ip rule add fwmark 0x1 lookup 100
# mark outgoing packets with specific protocols and source ports
# destination addresses in the local network are excluded
iptables -t mangle -A OUTPUT -d ! <local_net>/<mask|length> \
-p <protocol> -m multiport --sports <ports> -j MARK --set-mark 0x1
Similar Threads
Linear Mode
