Packet routing by source IP

Hi,

I have two internet connections and a lan on which I run a server. I
want this server to be accessible from both internet connections so I
came up with the following setup:

ISP connection 1 goes into a linux router and the connection 2 goes
into a trendnet hardware router. They both redirect port 10000 to the
server machine. On the server machine, there is one network card with
IP 192.168.1.102 and with an alias IP of 192.168.1.202. The linux
router redirects the traffic on port 10000 to IP 192.168.1.102 and the
trendnet one redirects to 192.168.1.202. The gateway on this computer
is set to the IP of the linux router (192.168.1.5).

On the linux box I want to redirect incoming traffic from 192.168.1.202
to be routed through the trendnet router (192.168.1.100) back into the
internet so both connections can be used.

So far I've found out two things:

1. iptables has a ROUTE target and can route the packets by source IP.
However it seems my kernel doesn't have the ROUTE target working and I
don't know how to get it working. In /lib/iptables/ I can find a
libipt_ROUTE.so file but modconf doesn't list the route target module.
I tried getting the sources for my kernel (2.6.8) and I can't find the
ROUTE target module in menuconfig in Device
Drivers->Networking->..->Netfilter, neither can I find any info on it
in my current kernel config file.

2. I've tried marking the packets from source ip with mark 4. and then
doing
ip rule add fwmark 4 table 7
ip route add default via 192.168.1.100 table 7
ip route flush cache

However this doesn't seem to work, ip rule show and ip route show don't
even show the route i added so I'm guessing it didn't get added at all,
but when I try adding it I get a "File exists" message.

I tried to debug this method with tcpdump, but it doesn't work with the
gateway parameter, probably because libpcap was built with IPv6 which
disables this option. I got the sources for this library from the cvs,
modified the makefile to create a shared library but I can't get it to
work, some symbols are missing.

Any ideas how to set this up and how to debug it ?

Thanks in advance,
Andrei

Hello,

(E-Mail Removed) a écrit :
> On the linux box I want to redirect incoming traffic from 192.168.1.202
> to be routed through the trendnet router (192.168.1.100) back into the
> internet so both connections can be used.

Asymmetric routing... NAT may not work well with asymmetric routing.
Can't you do it on the server directly ?

> 1. iptables has a ROUTE target and can route the packets by source IP.
> However it seems my kernel doesn't have the ROUTE target working and I
> don't know how to get it working. In /lib/iptables/ I can find a
> libipt_ROUTE.so file but modconf doesn't list the route target module.
> I tried getting the sources for my kernel (2.6.8) and I can't find the
> ROUTE target module in menuconfig in Device
> Drivers->Networking->..->Netfilter, neither can I find any info on it
> in my current kernel config file.

You must apply the ROUTE patch from the patch-o-matic-ng to your kernel
source tree to have the option available in menuconfig.

> 2. I've tried marking the packets from source ip with mark 4. and then
> doing
> ip rule add fwmark 4 table 7
> ip route add default via 192.168.1.100 table 7
> ip route flush cache
>
> However this doesn't seem to work,

How are the packets marked ?

> ip rule show and ip route show don't
> even show the route i added

'ip rule' shows only routing rules, not routes.
'ip route show' shows only the main routing table. Try :
ip route show table 7

Pascal Hambourg wrote:
> Hello,
>
> (E-Mail Removed) a écrit :
> > On the linux box I want to redirect incoming traffic from 192.168.1.202
> > to be routed through the trendnet router (192.168.1.100) back into the
> > internet so both connections can be used.
>
> Asymmetric routing... NAT may not work well with asymmetric routing.
> Can't you do it on the server directly ?
>

How would I do that? In what stage of the packet filter process should
I mark the packets? On the router I mark them in the mangle table in
the PREROUTING chain, but when would I mark them on the server? After
that, would the same ip route rule work, or would it be changed?

Thanks for the other info, however, I'll try to recompile the kernel as
a last resort since i've read that the ROUTE target patch is not very
stable.

(E-Mail Removed) a écrit :
>>
>>>On the linux box I want to redirect incoming traffic from 192.168.1.202
>>>to be routed through the trendnet router (192.168.1.100) back into the
>>>internet so both connections can be used.
>>
>>Can't you do it on the server directly ?
>
> How would I do that? In what stage of the packet filter process should
> I mark the packets? On the router I mark them in the mangle table in
> the PREROUTING chain,

What iptables rule did you use to mark the packets ?
I think you don't need marks. You can just use a source-based routing
policy instead (ip rule from) :

ip rule add from 192.168.1.202 table 7
ip route add default via 192.168.1.100 table 7

By the way, on your Linux gateway, did you make sure that :
- iptables rules in the FORWARD chain accept packets from the server to
the other router which enter and leave on the same interface ?
- there is no NAT on the path of packets redirected from the server to
the other router ?

> but when would I mark them on the server? After
> that, would the same ip route rule work, or would it be changed?

You don't need marks, as above. In the server's advanced routing :

ip rule add from 192.168.1.202 table 7
# alternate default gateway
ip route add default via 192.168.1.100 table 7
# needed if 192.168.1.202 may be used on the LAN
# this is a copy of the subnet route in the main routing table
ip route add 192.168.1.0/24 dev <ethX> table 7

Alternatively, you can use the MARK target in the mangle OUTPUT chain
and fwmark in ip rule as you did on the gateway.