Re: multiple nic/IP in firewall
Roberto Scattini a écrit :
> 
> i just cant make it work.
> all my outgoing packets keep going through the default gateway (even if
> they have the correct IP address, from the other nic...).
> 
> i think i need an explanation... because i cant undestand how does the
> routing tables know that a  packet is in response to a connection that came
> from this or that interface.
The answer is simple : it doesn't.
Your routing rules are based on the source address, but as you used DNAT
rules to change the destination address of incoming packets in the
PREROUTING chain, the reverse operation changing back the source address
of outgoing reply packets takes place in the POSTROUTING chain, i.e.
after the routing decision. In order to keep track of the original
destination address, you need to use the connection tracking facilities.
One way is the one you describe below, using the CONNMARK target to mark
 connections and reply packets and use routing rules based on the packet
mark.
Another is to use the conntrack match with the --ctorigdst to check the
original destination address and mark packets accordingly :
iptables -t mangle -A PREROUTING -i eth2 -m ctstate --ctorigdst $IP1 \
  -j MARK --set-mark 101
ip rule add fwmark 101 table T1
Another may, not requiring any packet marking, is to add a second
private address to the server and DNAT incoming connections to a
different private address depending on the input interface. This way
reply packets from the server will have different source addresses and
you will be able to use simple routing rules based on the private source
address.
> i also tried a different approach, found somewhere with google, that is
> more in line with my understanding of the problem.
> basically, it marks the packets so they can be routed back to the same nic
> they came in:
(flush commands trimmed for better readability)
> ip route add table T1 default via YY.20.YY.3
> ip rule add fwmark 101 table T1
> ip route add table T2 default via XX.220.XX.178
> ip rule add fwmark 102 table T2
Note : You may need to add routes for the $P1_NET and $P2_NET as you did
in your previous setup. Talking of this, you must specify the prefix
length in the CIDR form, not just the network adress : /24, /30 or
whatever it is.
> # Ensure traffic in one interface goes back out the same interface
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
> iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT
> iptables -t mangle -A PREROUTING -i eth4 -m state --state NEW -j MARK
> --set-mark 101
> iptables -t mangle -A PREROUTING -i eth3 -m state --state NEW -j MARK
> --set-mark 102
> 
> but it doesnt work...
What happens exactly ?
Reply to: