Google
  Web www.spinics.net

Re: Two outbound internet links, using one network interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 
Dashamir Hoxha wrote:

Pio Mendez wrote:



    >Pio Mendez wrote:
    >>PREROUTING chain is not traversed by local traffic, but OUTPUT
    >>chain does.
    >
>I think that OUTPUT is traversed after routing decision is taken, so 
    >it is still the same problem.


    I'm using OUTPUT chain in production environment to balance squid
    box traffic between 2 ISP, so I'm sure that you can reroute output
    packets using mangle OUTPUT chain.

    After traversing mangle and nat OUTPUT chains there is another
    routing process. Please check this diagram:

    http://www.imagestream.com/~josh/PacketFlow.png
    <http://www.imagestream.com/%7Ejosh/PacketFlow.png>


Pio Mendez is right. I have just tested it and it works.

If I use:
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
instead of:
iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT --to-source $IP2 
    iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
it seems not to work. So, maybe I didn't test it properly and actualy
it doesn't work. Anyway, it is not so important.

Dashamir


Now the script becomes something like this:

-------------8<----------------------------------
ip link set eth0 up
ip address flush eth0
ip address add $IP1 dev eth0
ip address add $IP2 dev eth0

route add to default via $GATEWAY1

ip route flush table 2
ip route show table main | grep -Ev ^default \
| while read ROUTE ; do ip route add table 2 $ROUTE ; done
ip route add table 2 default via $GATEWAY2

ip rule del fwmark 2 table 2   2>/dev/null
ip rule add fwmark 2 table 2

iptables -t mangle -N MARK-RULES
iptables -t mangle -A PREROUTING -j MARK-RULES
iptables -t mangle -A OUTPUT -j MARK-RULES

PORT_LIST="22 53"
for PORT in $PORT_LIST
do
iptables -t mangle -A MARK-RULES -m tcp -p tcp -dport $PORT -j MARK --set-mark 0x2 
done
iptables -t nat -A POSTROUTING -o eth0 -m mark --mark 0x2 -j SNAT --to-source $IP2 
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $IP1
------------8<---------------------------------
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc




_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Home]     [Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [PDAs]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux