routing for multiple isp's and portforwarding

Hi all,

I have a linux machine that acts as a router for a LAN. the machine has
3 interfaces connected to it: one LAN and two isp connections. The setup
is something similar as the lartc (see
http://lartc.org/howto/lartc.rpdb.multiple-links.html), differing only
in that I setup the regular main routing table and only one additional
table (not two).

The routing is setup in such a way that an incoming connection through
isp1 is answered through external interface 1 and an incoming connection
through isp2 is answered through external interface 2, which works great!

However, I need to forward (nat), for instance, port 25 for both
incoming isp lines to a mailserver on the LAN with a local ip address.
For the main routing table I would do this with iptables similar like this:

iptables -t nat -A PREROUTING -p TCP -d $ext_ip --dport 25 -j DNAT --to
192.168.0.2

However for the alternative table this doesn't work, since the packets
won't go through the routing table. I thought of using a POSTROUTING
table, but that wont work either, because I assume once it has gone
through the routing table the source address will be a local IP address
(192.168.0.1 from the router) and it won't be able to distuingish
through what isp connection to send it to...

Does anyone know a solution for this?

Thanks,
Jonathan

Joni wrote:
> Hi all,
>
> I have a linux machine that acts as a router for a LAN. the machine has
> 3 interfaces connected to it: one LAN and two isp connections. The setup
> is something similar as the lartc (see
> http://lartc.org/howto/lartc.rpdb.multiple-links.html), differing only
> in that I setup the regular main routing table and only one additional
> table (not two).
>
> The routing is setup in such a way that an incoming connection through
> isp1 is answered through external interface 1 and an incoming connection
> through isp2 is answered through external interface 2, which works great!
>
> However, I need to forward (nat), for instance, port 25 for both
> incoming isp lines to a mailserver on the LAN with a local ip address.
> For the main routing table I would do this with iptables similar like this:
>
> iptables -t nat -A PREROUTING -p TCP -d $ext_ip --dport 25 -j DNAT --to
> 192.168.0.2
>
> However for the alternative table this doesn't work, since the packets
> won't go through the routing table. I thought of using a POSTROUTING
> table, but that wont work either, because I assume once it has gone
> through the routing table the source address will be a local IP address
> (192.168.0.1 from the router) and it won't be able to distuingish
> through what isp connection to send it to...
>
> Does anyone know a solution for this?
>
> Thanks,
> Jonathan

Do you really have the same IP for both ISP's and does your setup have
all the necessary rules?

iptables -t nat -A PREROUTING -p TCP -i $ext_isp1 --dport 25 -j DNAT
--to 192.168.0.2

iptables -t nat -A PREROUTING -p TCP -i $ext_isp2 --dport 25 -j DNAT
--to 192.168.0.2

while $ext_ispX is the external ethernet device connected to the ISP's.


You surely will need those:

iptables -A FORWARD -p TCP -o $ext_isp1 --sport 25 -m state --state
RELATED, ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -o $ext_isp2 --sport 25 -m state --state
RELATED, ESTABLISHED -j ACCEPT

This will forward any established or requested connection to the
requestor of your service.


Not sure about it, but you will probably need some FORWARD rules letting
the requests and established conn's through. Please trial and error:

iptables -A FORWARD -p TCP -i $ext_isp1 --dport 25 -m state --state
NEW, ESTABLISHED -j ACCEPT

iptables -A FORWARD -p TCP -i $ext_isp2 --dport 25 -m state --state
NEW, ESTABLISHED -j ACCEPT


cheers,
Eric

Hi Jonathan -

On Thu, 17 Nov 2005 11:58:07 +0100, Joni <(E-Mail Removed)> wrote:

>However for the alternative table this doesn't work, since the packets
>won't go through the routing table. I thought of using a POSTROUTING
>table, but that wont work either, because I assume once it has gone
>through the routing table the source address will be a local IP address
>(192.168.0.1 from the router) and it won't be able to distuingish
>through what isp connection to send it to...
>
>Does anyone know a solution for this?

I have essentially the same setup. I handled this by creating two
aliases on the server NIC. eth0 is the main internal IP address, used
for connections internally. eth0:1 is an alias internal IP address,
used only for DNATing from ISP1. eth0:2 is a different alias internal
IP address, used for DNATing from ISP2.

Then I created routing rules specifying "from [IP.ADDRESS.ALIAS.1]" to
use alternate routing table 1, and a second similiar rule for 2.

--
Ken
http://www.ke9nr.net/

Ken wrote:
> Hi Jonathan -
>
> On Thu, 17 Nov 2005 11:58:07 +0100, Joni <(E-Mail Removed)> wrote:
>
>
>>However for the alternative table this doesn't work, since the packets
>>won't go through the routing table. I thought of using a POSTROUTING
>>table, but that wont work either, because I assume once it has gone
>>through the routing table the source address will be a local IP address
>>(192.168.0.1 from the router) and it won't be able to distuingish
>>through what isp connection to send it to...
>>
>>Does anyone know a solution for this?
>
>
> I have essentially the same setup. I handled this by creating two
> aliases on the server NIC. eth0 is the main internal IP address, used
> for connections internally. eth0:1 is an alias internal IP address,
> used only for DNATing from ISP1. eth0:2 is a different alias internal
> IP address, used for DNATing from ISP2.
>
> Then I created routing rules specifying "from [IP.ADDRESS.ALIAS.1]" to
> use alternate routing table 1, and a second similiar rule for 2.
>

are you able to setup firewalling rules easier? And i am really
interested in the benefit of your solution.

Please let us know.

Thanks and cheers,
Eric

Hi Eric -

On Thu, 17 Nov 2005 23:45:30 +0100, EricT <(E-Mail Removed)> wrote:

>Ken wrote:
>> Hi Jonathan -
>>
>> On Thu, 17 Nov 2005 11:58:07 +0100, Joni <(E-Mail Removed)> wrote:
>>
>>
>>>However for the alternative table this doesn't work, since the packets
>>>won't go through the routing table. I thought of using a POSTROUTING
>>>table, but that wont work either, because I assume once it has gone
>>>through the routing table the source address will be a local IP address
>>>(192.168.0.1 from the router) and it won't be able to distuingish
>>>through what isp connection to send it to...
>>>
>>>Does anyone know a solution for this?
>>
>>
>> I have essentially the same setup. I handled this by creating two
>> aliases on the server NIC. eth0 is the main internal IP address, used
>> for connections internally. eth0:1 is an alias internal IP address,
>> used only for DNATing from ISP1. eth0:2 is a different alias internal
>> IP address, used for DNATing from ISP2.
>>
>> Then I created routing rules specifying "from [IP.ADDRESS.ALIAS.1]" to
>> use alternate routing table 1, and a second similiar rule for 2.
>>
>
>are you able to setup firewalling rules easier? And i am really
>interested in the benefit of your solution.

I set up my method before looking at the lartc page, and I like my way
better. It's similar but I think simpler, plus IIRC the lartc page
does not cover what to do when DNATing. I'm going to write up a
webpage with with my method one of these days when I get a "round
tuit".

I use one alternate routing table per external IP address, with an
unconditional route with just a default rule to route via the
associated gateway. Since I only have one IP address in the netblock,
that forces anything referencing that routing table out the correct
connection. (If you have multiple external IP addresses in the same
netblock, you'll also need to specify the source IP address.)

I have one DNAT rule per external IP address / port combination (I
don't use multi-port rules), DNATing to the particular alias on the
server for that specific external IP address.

I have two special routing rules per external IP address, one for the
external IP address itself pointing to the proper routing table and
one for the alias.

I precede those with special rules to make sure that traffic for the
DMZ and LAN use the main routing table.

Other than that it's just standard stuff, having the necessary ACCEPT
rules on the FORWARD chain, SNAT on the external interfaces, etc.

--
Ken
http://www.ke9nr.net/

Ok guys thanks for the replies!

I will try both suggestions and report back with my findings.

Regards,
Jonathan