I can send packets but I receive nothing, routing problem

Dear all linux networking,

I try to set up a route to my ISP:

my 10.0.0.0 network is connected to the router on eth0
my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
try with 2.6.7 same problem).
my external IP is 1.2.3.4
my gateway is 1.2.3.5 (this is my modem, with a real IP address)

I try to route my internal IP 10.0.0.1 to this ISP

my route is configure like this:

# ADSL line
ip route flush table 5
ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
ip rule add fwmark 5 table 5

my Nat is like this

iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 1.2.3.4

All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
access to internet on this modem (there is a web site on the modem).

But when I try to access to Internet from 10.0.0.1, I can "find" sites
but I receive nothing, all my ping are lost. This problem drive me crasy ...

I think I send packets but there is a kind of incoming reply routing
problem. All other IP's from my internal network can connect with the
default gateway on my first ISP (eth1).

Thank you for Help me on this,
Guillaume

riviereg wrote:

> Dear all linux networking,
>
> I try to set up a route to my ISP:
>
> my 10.0.0.0 network is connected to the router on eth0
> my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
> try with 2.6.7 same problem).
> my external IP is 1.2.3.4
> my gateway is 1.2.3.5 (this is my modem, with a real IP address)
>
> I try to route my internal IP 10.0.0.1 to this ISP
>
> my route is configure like this:
>
> # ADSL line
> ip route flush table 5
> ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
> ip rule add fwmark 5 table 5
>
> my Nat is like this
>
> iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
> iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 1.2.3.4
>
> All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
> access to internet on this modem (there is a web site on the modem).
>
> But when I try to access to Internet from 10.0.0.1, I can "find" sites
> but I receive nothing, all my ping are lost. This problem drive me crasy
> ...
>
> I think I send packets but there is a kind of incoming reply routing
> problem. All other IP's from my internal network can connect with the
> default gateway on my first ISP (eth1).
>
> Thank you for Help me on this,
> Guillaume
Bon Jour Guillaume,

I think, you have a couple of problems here. First of all, you default
gateway should not be the modem, but your interface pppx.
Additionally, I think you have not configured your firewall to allow
incoming related/acknowledged packets.

With kind regards, Alex

Alex Harsch wrote:
> riviereg wrote:
>
>
>>Dear all linux networking,
>>
>>I try to set up a route to my ISP:
>>
>>my 10.0.0.0 network is connected to the router on eth0
>>my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
>>try with 2.6.7 same problem).
>>my external IP is 1.2.3.4
>>my gateway is 1.2.3.5 (this is my modem, with a real IP address)
>>
>>I try to route my internal IP 10.0.0.1 to this ISP
>>
>>my route is configure like this:
>>
>># ADSL line
>>ip route flush table 5
>>ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
>>ip rule add fwmark 5 table 5
>>
>>my Nat is like this
>>
>>iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
>>iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 1.2.3.4
>>
>>All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
>>access to internet on this modem (there is a web site on the modem).
>>
>>But when I try to access to Internet from 10.0.0.1, I can "find" sites
>>but I receive nothing, all my ping are lost. This problem drive me crasy
>>...
>>
>>I think I send packets but there is a kind of incoming reply routing
>>problem. All other IP's from my internal network can connect with the
>>default gateway on my first ISP (eth1).
>>
>>Thank you for Help me on this,
>>Guillaume
>
> Bon Jour Guillaume,
>
> I think, you have a couple of problems here. First of all, you default
> gateway should not be the modem, but your interface pppx.
> Additionally, I think you have not configured your firewall to allow
> incoming related/acknowledged packets.


Thank you for this Alex,

I fact I have a modem gateway with an assigned real IP Address,

Internal Network ----| Linux box |-----| Modem gateway |----
|
| Computer x |

I aslo try to connect directly a computer (x) to the Modem gateway,
with this modem as gateway and another real IP address provided by
my ISP. From computer X I can access to Internet, no problem

How to configure my firewall to allow incoming related/ackowledged
packets ? I think my problem is something like this.

Thank you very much for help,
Guillaume

riviereg wrote:

> Alex Harsch wrote:
>> riviereg wrote:
>>
>>
>>>Dear all linux networking,
>>>
>>>I try to set up a route to my ISP:
>>>
>>>my 10.0.0.0 network is connected to the router on eth0
>>>my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
>>>try with 2.6.7 same problem).
>>>my external IP is 1.2.3.4
>>>my gateway is 1.2.3.5 (this is my modem, with a real IP address)
>>>
>>>I try to route my internal IP 10.0.0.1 to this ISP
>>>
>>>my route is configure like this:
>>>
>>># ADSL line
>>>ip route flush table 5
>>>ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
>>>ip rule add fwmark 5 table 5
>>>
>>>my Nat is like this
>>>
>>>iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
>>>iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 1.2.3.4
>>>
>>>All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
>>>access to internet on this modem (there is a web site on the modem).
>>>
>>>But when I try to access to Internet from 10.0.0.1, I can "find" sites
>>>but I receive nothing, all my ping are lost. This problem drive me crasy
>>>...
>>>
>>>I think I send packets but there is a kind of incoming reply routing
>>>problem. All other IP's from my internal network can connect with the
>>>default gateway on my first ISP (eth1).
>>>
>>>Thank you for Help me on this,
>>>Guillaume
>>
>> Bon Jour Guillaume,
>>
>> I think, you have a couple of problems here. First of all, you default
>> gateway should not be the modem, but your interface pppx.
>> Additionally, I think you have not configured your firewall to allow
>> incoming related/acknowledged packets.
>
>
> Thank you for this Alex,
>
> I fact I have a modem gateway with an assigned real IP Address,
>
> Internal Network ----| Linux box |-----| Modem gateway |----
> |
> | Computer x |
>
> I aslo try to connect directly a computer (x) to the Modem gateway,
> with this modem as gateway and another real IP address provided by
> my ISP. From computer X I can access to Internet, no problem
>
> How to configure my firewall to allow incoming related/ackowledged
> packets ? I think my problem is something like this.
>
> Thank you very much for help,
> Guillaume
Hello Guillaume,

hard to say whats wrong. Since you have access with machine x, traffic from
the web should be able to pass the firewall. Can you poste the routing
table and the firewall config (route/iptables-save).

Regards, Alex

riviereg wrote:
> Dear all linux networking,
>
> I try to set up a route to my ISP:
>
> my 10.0.0.0 network is connected to the router on eth0
> my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
> try with 2.6.7 same problem).
> my external IP is 1.2.3.4
> my gateway is 1.2.3.5 (this is my modem, with a real IP address)
>
> I try to route my internal IP 10.0.0.1 to this ISP
>
> my route is configure like this:
>
> # ADSL line
> ip route flush table 5
> ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
> ip rule add fwmark 5 table 5
>
> my Nat is like this
>
> iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
> iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 1.2.3.4
>
> All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
> access to internet on this modem (there is a web site on the modem).
>
> But when I try to access to Internet from 10.0.0.1, I can "find" sites
> but I receive nothing, all my ping are lost. This problem drive me crasy
> ...
>
> I think I send packets but there is a kind of incoming reply routing
> problem. All other IP's from my internal network can connect with the
> default gateway on my first ISP (eth1).
>
> Thank you for Help me on this,
> Guillaume

The main problem is that you're trying to send out (to the Net
via ISP) addresses thet are not publicly known to men you. The
return packets have no way of finding their way back from the
Net via you PPP address. The ISP kannot know that the internal
network 10.x.y.z address means your external IP (1.2.3.4, in example).

What you need is a way to send all internal packets from the
Linux box toward the Net with your public IP as the sender
address. This is called IP-Masquerade or NAT.

For details how to set up a masquerading routes, see the
IP-Masquerade-HOWTO from the Linux Documentation Project
<http://www.tldp.org/> or any of its mirrors.

HTH

Tauno Voipio
tauno voipio (at) iki fi

riviereg wrote:

> Alex Harsch wrote:
>> riviereg wrote:
>>
>>
>>>Alex Harsch wrote:
>>>
>>>>riviereg wrote:
>>>>
>>>>
>>>>
>>>>>Dear all linux networking,
>>>>>
>>>>>I try to set up a route to my ISP:
>>>>>
>>>>>my 10.0.0.0 network is connected to the router on eth0
>>>>>my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
>>>>>try with 2.6.7 same problem).
>>>>>my external IP is 1.2.3.4
>>>>>my gateway is 1.2.3.5 (this is my modem, with a real IP address)
>>>>>
>>>>>I try to route my internal IP 10.0.0.1 to this ISP
>>>>>
>>>>>my route is configure like this:
>>>>>
>>>>># ADSL line
>>>>>ip route flush table 5
>>>>>ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
>>>>>ip rule add fwmark 5 table 5
>>>>>
>>>>>my Nat is like this
>>>>>
>>>>>iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
>>>>>iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to
>>>>>1.2.3.4
>>>>>
>>>>>All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
>>>>>access to internet on this modem (there is a web site on the modem).
>>>>>
>>>>>But when I try to access to Internet from 10.0.0.1, I can "find" sites
>>>>>but I receive nothing, all my ping are lost. This problem drive me
>>>>>crasy ...
>>>>>
>>>>>I think I send packets but there is a kind of incoming reply routing
>>>>>problem. All other IP's from my internal network can connect with the
>>>>>default gateway on my first ISP (eth1).
>>>>>
>>>>>Thank you for Help me on this,
>>>>>Guillaume
>>>>
>>>>Bon Jour Guillaume,
>>>>
>>>>I think, you have a couple of problems here. First of all, you default
>>>>gateway should not be the modem, but your interface pppx.
>>>>Additionally, I think you have not configured your firewall to allow
>>>>incoming related/acknowledged packets.
>>>
>>>
>>>Thank you for this Alex,
>>>
>>>I fact I have a modem gateway with an assigned real IP Address,
>>>
>>>Internal Network ----| Linux box |-----| Modem gateway |----
>>>|
>>>| Computer x |
>>>
>>>I aslo try to connect directly a computer (x) to the Modem gateway,
>>>with this modem as gateway and another real IP address provided by
>>>my ISP. From computer X I can access to Internet, no problem
>>>
>>>How to configure my firewall to allow incoming related/ackowledged
>>>packets ? I think my problem is something like this.
>>>
>>>Thank you very much for help,
>>>Guillaume
>>
>> Hello Guillaume,
>>
>> hard to say whats wrong. Since you have access with machine x, traffic
>> from the web should be able to pass the firewall. Can you poste the
>> routing table and the firewall config (route/iptables-save).
>>
>> Regards, Alex
>
>
> Here is my exact configuration
> (I try a script from the lartc mailling list):
> With this configuartion, I have the same probleme than with
> a simple configuration behind. I first try. Something very strange ...
> All my DNAT Incoming rules work well
>
> I mean, i can access to my web server on 1.2.3.4 and on 5.6.7.8 from an
> external IP.
>
> My problem is that I cannot access to Internet from 10.0.0.1:
> From this address I can access to all computer in the 5.6.7.8/29
> network (for me this is not a nat problem), but I cannot access to
> Internet ...
> From this address, when I disconnect 5.6.7.9 (my gateway) from Internet,
> ping said "Host Unreachable", when I connect it to Internet, ping said
> "Time out"
>
> Thank you for your help,
> Guillaume
>
> Here are my scripts:
>
> ################################################## ##########
> # ROUTING Script
> ################################################## ##########
>
> echo "Routing rules and tables"
>
> echo "removing old rules"
> ip rule del prio 50 table main
> ip rule del prio 201 from 5.6.7.8/255.255.255.248 table 201
> ip rule del prio 202 from 1.2.3.4/255.255.255.248 table 202
> ip rule del prio 210 fwmark 22 table 210
> ip rule del prio 221 table 221
> echo "flushing tables"
> ip route flush table 201
> ip route flush table 202
> ip route flush table 210
> ip route flush table 221
> echo "removing tables"
> ip route del table 201
> ip route del table 202
> ip route del table 210
> ip route del table 221
>
> case $1 in
> stop) exit
> ;;
> esac
>
> # setting new rules
> echo "Setting new routing rules"
>
> # main table w/o default gateway here
>
> ip rule add prio 50 table main
> ip route del default table main
>
> # identified routes here
> ip rule add prio 201 from 1.2.3.4/255.255.255.248 table 201
> ip rule add prio 202 from 5.6.7.5/255.255.255.248 table 202
>
> ip route add default via 1.2.3.5 dev eth1 src 1.2.3.4 proto static table
> 201 ip route append prohibit default table 201 metric 1 proto static
>
> ip route add default via 5.6.7.9 dev eth2 src 5.6.7.8 proto static table
> 202 ip route append prohibit default table 202 metric 1 proto static
>
> # selected clients / select by fwmark=34
> ip rule add prio 210 fwmark 22 table 210
> ip rule add prio 221 table 221
>
> ip route add default table 210 proto static via 5.6.7.9 dev eth2 src
> 5.6.7.8 ip route add default table 221 proto static via 1.2.3.5 dev eth1
> src 1.2.3.4
>
> ip route flush cache
>
> echo "setup routing rules"
>
> ################################################## ##########
> # IPTables Script
> ################################################## ##########
>
> echo "firewall constants setup"
> /usr/sbin/iptables -A FORWARD -i eth1 -o eth0 -p tcp -m state --state
RELATED,ESTABLISHED -j ACCEPT
> # FLUSH the tables
> iptables -t nat -F POSTROUTING
> iptables -t nat -F PREROUTING
> iptables -t mangle -F PREROUTING
>
> ########################## SNAT ############################
>
> ## Mangeling Rules ##
> iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 34
>
>
> #A/ SNAT with 2 ISP
> #---------------------
>
> #A1/ ISP1 SNAT
> #---------------
>
>
>
> #RULES
>
> # Allow all access to http and https (port 80, port 443) only for http
> iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j SNAT --to
> 1.2.3.4
> iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 443 -j SNAT --to
> 1.2.3.4
> iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to
> 1.2.3.4
> iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 110 -j SNAT --to
> 1.2.3.4
> iptables -t nat -A POSTROUTING -o eth1 -p icmp -j SNAT --to 1.2.3.4
>
>
> #A2/ ISP2 SNAT
> #-------------
>
> iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 5.6.7.8
>
> ######################### DNAT #################################
>
> # Web Server
> iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT
> --to 10.117.71.2:80
>
> # Web Server
> iptables -t nat -I PREROUTING -p tcp -d 5.6.7.8 --dport 80 -j DNAT
> --to 10.117.71.2:80
>
>
>
> Here is my routing table:
> $> ip route list
> 1.2.3.4/29 dev eth1 proto kernel scope link src 1.2.3.4
> 5.6.7.8/29 dev eth2 proto kernel scope link src 5.6.7.8
> 10.117.71.0/24 dev eth0 proto kernel scope link src 10.117.71.1
>
> $> ip rule list
> 0: from all lookup local
> 50: from all lookup main
> 201: from 1.2.3.4/29 lookup 201
> 202: from 5.6.7.8/29 lookup 202
> 210: from all fwmark 22 lookup 210
> 221: from all lookup 221
> 32766: from all lookup main
> 32767: from all lookup default
>
> $>ip route show table 202
> default via 5.6.7.9 dev eth2 proto static src 5.6.7.8
> prohibit default proto static metric 1
>
> $>ip route show table 210
> default via 5.6.7.9 dev eth2 proto static src 5.6.7.8
Hello Guillaume,

problem:
1. Your 10.0.0.1 gets the mark 34. This mark is later routed to table 210,
which leads to via 5.6.7.9 dev eth2 src 5.6.7.8. Thats why the packets take
the 'wrong way'.
2. I think that your modem is no modem but a router. To a modem you have to
connect through pppoe, but you connect to it via ethernet. So I think we
are talking about a router. You don't seem to have any firewalling enabled
on the Linux box. So you allow all traffic on the Linux router by default!
This means, there is propably a firewall on the modem/router. And I guess
you will have to change these roules to allow incoming traffic. Regards,
Alex

Alex Harsch wrote:
> riviereg wrote:
>
>
>>Alex Harsch wrote:
>>
>>>riviereg wrote:
>>>
>>>
>>>
>>>>Dear all linux networking,
>>>>
>>>>I try to set up a route to my ISP:
>>>>
>>>>my 10.0.0.0 network is connected to the router on eth0
>>>>my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
>>>>try with 2.6.7 same problem).
>>>>my external IP is 1.2.3.4
>>>>my gateway is 1.2.3.5 (this is my modem, with a real IP address)
>>>>
>>>>I try to route my internal IP 10.0.0.1 to this ISP
>>>>
>>>>my route is configure like this:
>>>>
>>>># ADSL line
>>>>ip route flush table 5
>>>>ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
>>>>ip rule add fwmark 5 table 5
>>>>
>>>>my Nat is like this
>>>>
>>>>iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
>>>>iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 1.2.3.4
>>>>
>>>>All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
>>>>access to internet on this modem (there is a web site on the modem).
>>>>
>>>>But when I try to access to Internet from 10.0.0.1, I can "find" sites
>>>>but I receive nothing, all my ping are lost. This problem drive me crasy
>>>>...
>>>>
>>>>I think I send packets but there is a kind of incoming reply routing
>>>>problem. All other IP's from my internal network can connect with the
>>>>default gateway on my first ISP (eth1).
>>>>
>>>>Thank you for Help me on this,
>>>>Guillaume
>>>
>>>Bon Jour Guillaume,
>>>
>>>I think, you have a couple of problems here. First of all, you default
>>>gateway should not be the modem, but your interface pppx.
>>>Additionally, I think you have not configured your firewall to allow
>>>incoming related/acknowledged packets.
>>
>>
>>Thank you for this Alex,
>>
>>I fact I have a modem gateway with an assigned real IP Address,
>>
>>Internal Network ----| Linux box |-----| Modem gateway |----
>>|
>>| Computer x |
>>
>>I aslo try to connect directly a computer (x) to the Modem gateway,
>>with this modem as gateway and another real IP address provided by
>>my ISP. From computer X I can access to Internet, no problem
>>
>>How to configure my firewall to allow incoming related/ackowledged
>>packets ? I think my problem is something like this.
>>
>>Thank you very much for help,
>>Guillaume
>
> Hello Guillaume,
>
> hard to say whats wrong. Since you have access with machine x, traffic from
> the web should be able to pass the firewall. Can you poste the routing
> table and the firewall config (route/iptables-save).
>
> Regards, Alex

Here is my exact configuration
(I try a script from the lartc mailling list):
With this configuartion, I have the same probleme than with
a simple configuration behind. I first try. Something very strange ...
All my DNAT Incoming rules work well

I mean, i can access to my web server on 1.2.3.4 and on 5.6.7.8 from an
external IP.

My problem is that I cannot access to Internet from 10.0.0.1:
From this address I can access to all computer in the 5.6.7.8/29
network (for me this is not a nat problem), but I cannot access to
Internet ...
From this address, when I disconnect 5.6.7.9 (my gateway) from Internet,
ping said "Host Unreachable", when I connect it to Internet, ping said
"Time out"

Thank you for your help,
Guillaume

Here are my scripts:

################################################## ##########
# ROUTING Script
################################################## ##########

echo "Routing rules and tables"

echo "removing old rules"
ip rule del prio 50 table main
ip rule del prio 201 from 5.6.7.8/255.255.255.248 table 201
ip rule del prio 202 from 1.2.3.4/255.255.255.248 table 202
ip rule del prio 210 fwmark 22 table 210
ip rule del prio 221 table 221
echo "flushing tables"
ip route flush table 201
ip route flush table 202
ip route flush table 210
ip route flush table 221
echo "removing tables"
ip route del table 201
ip route del table 202
ip route del table 210
ip route del table 221

case $1 in
stop) exit
;;
esac

# setting new rules
echo "Setting new routing rules"

# main table w/o default gateway here

ip rule add prio 50 table main
ip route del default table main

# identified routes here
ip rule add prio 201 from 1.2.3.4/255.255.255.248 table 201
ip rule add prio 202 from 5.6.7.5/255.255.255.248 table 202

ip route add default via 1.2.3.5 dev eth1 src 1.2.3.4 proto static table 201
ip route append prohibit default table 201 metric 1 proto static

ip route add default via 5.6.7.9 dev eth2 src 5.6.7.8 proto static table 202
ip route append prohibit default table 202 metric 1 proto static

# selected clients / select by fwmark=34
ip rule add prio 210 fwmark 22 table 210
ip rule add prio 221 table 221

ip route add default table 210 proto static via 5.6.7.9 dev eth2 src 5.6.7.8
ip route add default table 221 proto static via 1.2.3.5 dev eth1 src 1.2.3.4

ip route flush cache

echo "setup routing rules"

################################################## ##########
# IPTables Script
################################################## ##########

echo "firewall constants setup"

# FLUSH the tables
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t mangle -F PREROUTING

########################## SNAT ############################

## Mangeling Rules ##
iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 34


#A/ SNAT with 2 ISP
#---------------------

#A1/ ISP1 SNAT
#---------------



#RULES

# Allow all access to http and https (port 80, port 443) only for http
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 443 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 110 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p icmp -j SNAT --to 1.2.3.4


#A2/ ISP2 SNAT
#-------------

iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 5.6.7.8

######################### DNAT #################################

# Web Server
iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT
--to 10.117.71.2:80

# Web Server
iptables -t nat -I PREROUTING -p tcp -d 5.6.7.8 --dport 80 -j DNAT
--to 10.117.71.2:80



Here is my routing table:
$> ip route list
1.2.3.4/29 dev eth1 proto kernel scope link src 1.2.3.4
5.6.7.8/29 dev eth2 proto kernel scope link src 5.6.7.8
10.117.71.0/24 dev eth0 proto kernel scope link src 10.117.71.1

$> ip rule list
0: from all lookup local
50: from all lookup main
201: from 1.2.3.4/29 lookup 201
202: from 5.6.7.8/29 lookup 202
210: from all fwmark 22 lookup 210
221: from all lookup 221
32766: from all lookup main
32767: from all lookup default

$>ip route show table 202
default via 5.6.7.9 dev eth2 proto static src 5.6.7.8
prohibit default proto static metric 1

$>ip route show table 210
default via 5.6.7.9 dev eth2 proto static src 5.6.7.8

Alex Harsch wrote:
> riviereg wrote:
>
>
>>Alex Harsch wrote:
>>
>>>riviereg wrote:
>>>
>>>
>>>
>>>>Dear all linux networking,
>>>>
>>>>I try to set up a route to my ISP:
>>>>
>>>>my 10.0.0.0 network is connected to the router on eth0
>>>>my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
>>>>try with 2.6.7 same problem).
>>>>my external IP is 1.2.3.4
>>>>my gateway is 1.2.3.5 (this is my modem, with a real IP address)
>>>>
>>>>I try to route my internal IP 10.0.0.1 to this ISP
>>>>
>>>>my route is configure like this:
>>>>
>>>># ADSL line
>>>>ip route flush table 5
>>>>ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
>>>>ip rule add fwmark 5 table 5
>>>>
>>>>my Nat is like this
>>>>
>>>>iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
>>>>iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 1.2.3.4
>>>>
>>>>All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
>>>>access to internet on this modem (there is a web site on the modem).
>>>>
>>>>But when I try to access to Internet from 10.0.0.1, I can "find" sites
>>>>but I receive nothing, all my ping are lost. This problem drive me crasy
>>>>...
>>>>
>>>>I think I send packets but there is a kind of incoming reply routing
>>>>problem. All other IP's from my internal network can connect with the
>>>>default gateway on my first ISP (eth1).
>>>>
>>>>Thank you for Help me on this,
>>>>Guillaume
>>>
>>>Bon Jour Guillaume,
>>>
>>>I think, you have a couple of problems here. First of all, you default
>>>gateway should not be the modem, but your interface pppx.
>>>Additionally, I think you have not configured your firewall to allow
>>>incoming related/acknowledged packets.
>>
>>
>>Thank you for this Alex,
>>
>>I fact I have a modem gateway with an assigned real IP Address,
>>
>>Internal Network ----| Linux box |-----| Modem gateway |----
>>|
>>| Computer x |
>>
>>I aslo try to connect directly a computer (x) to the Modem gateway,
>>with this modem as gateway and another real IP address provided by
>>my ISP. From computer X I can access to Internet, no problem
>>
>>How to configure my firewall to allow incoming related/ackowledged
>>packets ? I think my problem is something like this.
>>
>>Thank you very much for help,
>>Guillaume
>
> Hello Guillaume,
>
> hard to say whats wrong. Since you have access with machine x, traffic from
> the web should be able to pass the firewall. Can you poste the routing
> table and the firewall config (route/iptables-save).
>
> Regards, Alex


Here is my exact configuration
(I try a script from the lartc mailling list):
With this configuartion, I have the same probleme than with
a simple configuration behind. I first try. Something very strange ...
All my DNAT Incoming rules work well

I mean, i can access to my web server on 1.2.3.4 and on 5.6.7.8 from an
external IP.

My problem is that I cannot access to Internet from 10.0.0.1:
From this address I can access to all computer in the 5.6.7.8/29
network (for me this is not a nat problem), but I cannot access to
Internet ...
From this address, when I disconnect 5.6.7.9 (my gateway) from Internet,
ping said "Host Unreachable", when I connect it to Internet, ping said
"Time out"

Thank you for your help,
Guillaume

Here are my scripts:

################################################## ##########
# ROUTING Script
################################################## ##########

echo "Routing rules and tables"

echo "removing old rules"
ip rule del prio 50 table main
ip rule del prio 201 from 5.6.7.8/255.255.255.248 table 201
ip rule del prio 202 from 1.2.3.4/255.255.255.248 table 202
ip rule del prio 210 fwmark 22 table 210
ip rule del prio 221 table 221
echo "flushing tables"
ip route flush table 201
ip route flush table 202
ip route flush table 210
ip route flush table 221
echo "removing tables"
ip route del table 201
ip route del table 202
ip route del table 210
ip route del table 221

case $1 in
stop) exit
;;
esac

# setting new rules
echo "Setting new routing rules"

# main table w/o default gateway here

ip rule add prio 50 table main
ip route del default table main

# identified routes here
ip rule add prio 201 from 1.2.3.4/255.255.255.248 table 201
ip rule add prio 202 from 5.6.7.5/255.255.255.248 table 202

ip route add default via 1.2.3.5 dev eth1 src 1.2.3.4 proto static table 201
ip route append prohibit default table 201 metric 1 proto static

ip route add default via 5.6.7.9 dev eth2 src 5.6.7.8 proto static table 202
ip route append prohibit default table 202 metric 1 proto static

# selected clients / select by fwmark=34
ip rule add prio 210 fwmark 22 table 210
ip rule add prio 221 table 221

ip route add default table 210 proto static via 5.6.7.9 dev eth2 src 5.6.7.8
ip route add default table 221 proto static via 1.2.3.5 dev eth1 src 1.2.3.4

ip route flush cache

echo "setup routing rules"

################################################## ##########
# IPTables Script
################################################## ##########

echo "firewall constants setup"

# FLUSH the tables
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t mangle -F PREROUTING

########################## SNAT ############################

## Mangeling Rules ##
iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 34


#A/ SNAT with 2 ISP
#---------------------

#A1/ ISP1 SNAT
#---------------



#RULES

# Allow all access to http and https (port 80, port 443) only for http
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 443 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 110 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p icmp -j SNAT --to 1.2.3.4


#A2/ ISP2 SNAT
#-------------

iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 5.6.7.8

######################### DNAT #################################

# Web Server
iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT
--to 10.117.71.2:80

# Web Server
iptables -t nat -I PREROUTING -p tcp -d 5.6.7.8 --dport 80 -j DNAT
--to 10.117.71.2:80



Here is my routing table:
$> ip route list
1.2.3.4/29 dev eth1 proto kernel scope link src 1.2.3.4
5.6.7.8/29 dev eth2 proto kernel scope link src 5.6.7.8
10.117.71.0/24 dev eth0 proto kernel scope link src 10.117.71.1

$> ip rule list
0: from all lookup local
50: from all lookup main
201: from 1.2.3.4/29 lookup 201
202: from 5.6.7.8/29 lookup 202
210: from all fwmark 22 lookup 210
221: from all lookup 221
32766: from all lookup main
32767: from all lookup default

$>ip route show table 202
default via 5.6.7.9 dev eth2 proto static src 5.6.7.8
prohibit default proto static metric 1

$>ip route show table 210
default via 5.6.7.9 dev eth2 proto static src 5.6.7.8

Alex Harsch wrote:
> riviereg wrote:
>
>
>>Alex Harsch wrote:
>>
>>>riviereg wrote:
>>>
>>>
>>>
>>>>Dear all linux networking,
>>>>
>>>>I try to set up a route to my ISP:
>>>>
>>>>my 10.0.0.0 network is connected to the router on eth0
>>>>my ISP is on link eth2 on my router (GNU/Debian sarge, kernel 2.6.8, I
>>>>try with 2.6.7 same problem).
>>>>my external IP is 1.2.3.4
>>>>my gateway is 1.2.3.5 (this is my modem, with a real IP address)
>>>>
>>>>I try to route my internal IP 10.0.0.1 to this ISP
>>>>
>>>>my route is configure like this:
>>>>
>>>># ADSL line
>>>>ip route flush table 5
>>>>ip route add table 5 default via 1.2.3.5 src 1.2.3.4 dev eth2
>>>>ip rule add fwmark 5 table 5
>>>>
>>>>my Nat is like this
>>>>
>>>>iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 5
>>>>iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 1.2.3.4
>>>>
>>>>All is ok, I can access to my modem (1.2.3.5) from 10.0.0.1, I can also
>>>>access to internet on this modem (there is a web site on the modem).
>>>>
>>>>But when I try to access to Internet from 10.0.0.1, I can "find" sites
>>>>but I receive nothing, all my ping are lost. This problem drive me crasy
>>>>...
>>>>
>>>>I think I send packets but there is a kind of incoming reply routing
>>>>problem. All other IP's from my internal network can connect with the
>>>>default gateway on my first ISP (eth1).
>>>>
>>>>Thank you for Help me on this,
>>>>Guillaume
>>>
>>>Bon Jour Guillaume,
>>>
>>>I think, you have a couple of problems here. First of all, you default
>>>gateway should not be the modem, but your interface pppx.
>>>Additionally, I think you have not configured your firewall to allow
>>>incoming related/acknowledged packets.
>>
>>
>>Thank you for this Alex,
>>
>>I fact I have a modem gateway with an assigned real IP Address,
>>
>>Internal Network ----| Linux box |-----| Modem gateway |----
>>|
>>| Computer x |
>>
>>I aslo try to connect directly a computer (x) to the Modem gateway,
>>with this modem as gateway and another real IP address provided by
>>my ISP. From computer X I can access to Internet, no problem
>>
>>How to configure my firewall to allow incoming related/ackowledged
>>packets ? I think my problem is something like this.
>>
>>Thank you very much for help,
>>Guillaume
>
> Hello Guillaume,
>
> hard to say whats wrong. Since you have access with machine x, traffic from
> the web should be able to pass the firewall. Can you poste the routing
> table and the firewall config (route/iptables-save).
>
> Regards, Alex
Here is my exact configuration
(I try a script from the lartc mailling list):
With this configuartion, I have the same probleme than with
a simple configuration behind. I first try. Something very strange ...
All my DNAT Incoming rules work well

I mean, i can access to my web server on 1.2.3.4 and on 5.6.7.8 from an
external IP.

My problem is that I cannot access to Internet from 10.0.0.1:
From this address I can access to all computer in the 5.6.7.8/29
network (for me this is not a nat problem), but I cannot access to
Internet ...
From this address, when I disconnect 5.6.7.9 (my gateway) from Internet,
ping said "Host Unreachable", when I connect it to Internet, ping said
"Time out"

Thank you for your help,
Guillaume

Here are my scripts:

################################################## ##########
# ROUTING Script
################################################## ##########

echo "Routing rules and tables"

echo "removing old rules"
ip rule del prio 50 table main
ip rule del prio 201 from 5.6.7.8/255.255.255.248 table 201
ip rule del prio 202 from 1.2.3.4/255.255.255.248 table 202
ip rule del prio 210 fwmark 22 table 210
ip rule del prio 221 table 221
echo "flushing tables"
ip route flush table 201
ip route flush table 202
ip route flush table 210
ip route flush table 221
echo "removing tables"
ip route del table 201
ip route del table 202
ip route del table 210
ip route del table 221

case $1 in
stop) exit
;;
esac

# setting new rules
echo "Setting new routing rules"

# main table w/o default gateway here

ip rule add prio 50 table main
ip route del default table main

# identified routes here
ip rule add prio 201 from 1.2.3.4/255.255.255.248 table 201
ip rule add prio 202 from 5.6.7.5/255.255.255.248 table 202

ip route add default via 1.2.3.5 dev eth1 src 1.2.3.4 proto static table 201
ip route append prohibit default table 201 metric 1 proto static

ip route add default via 5.6.7.9 dev eth2 src 5.6.7.8 proto static table 202
ip route append prohibit default table 202 metric 1 proto static

# selected clients / select by fwmark=34
ip rule add prio 210 fwmark 22 table 210
ip rule add prio 221 table 221

ip route add default table 210 proto static via 5.6.7.9 dev eth2 src 5.6.7.8
ip route add default table 221 proto static via 1.2.3.5 dev eth1 src 1.2.3.4

ip route flush cache

echo "setup routing rules"

################################################## ##########
# IPTables Script
################################################## ##########

echo "firewall constants setup"

# FLUSH the tables
iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t mangle -F PREROUTING

########################## SNAT ############################

## Mangeling Rules ##
iptables -t mangle -A PREROUTING -s 10.0.0.1 -j MARK --set-mark 34


#A/ SNAT with 2 ISP
#---------------------

#A1/ ISP1 SNAT
#---------------



#RULES

# Allow all access to http and https (port 80, port 443) only for http
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 80 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 443 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p udp --dport 53 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 110 -j SNAT --to
1.2.3.4
iptables -t nat -A POSTROUTING -o eth1 -p icmp -j SNAT --to 1.2.3.4


#A2/ ISP2 SNAT
#-------------

iptables -t nat -A POSTROUTING -o eth2 -s 10.0.0.1 -j SNAT --to 5.6.7.8

######################### DNAT #################################

# Web Server
iptables -t nat -I PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT
--to 10.117.71.2:80

# Web Server
iptables -t nat -I PREROUTING -p tcp -d 5.6.7.8 --dport 80 -j DNAT
--to 10.117.71.2:80



Here is my routing table:
$> ip route list
1.2.3.4/29 dev eth1 proto kernel scope link src 1.2.3.4
5.6.7.8/29 dev eth2 proto kernel scope link src 5.6.7.8
10.117.71.0/24 dev eth0 proto kernel scope link src 10.117.71.1

$> ip rule list
0: from all lookup local
50: from all lookup main
201: from 1.2.3.4/29 lookup 201
202: from 5.6.7.8/29 lookup 202
210: from all fwmark 22 lookup 210
221: from all lookup 221
32766: from all lookup main
32767: from all lookup default

$>ip route show table 202
default via 5.6.7.9 dev eth2 proto static src 5.6.7.8
prohibit default proto static metric 1

$>ip route show table 210
default via 5.6.7.9 dev eth2 proto static src 5.6.7.8