My current route for a box shows this:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
How do I setup the 74.223.8.176 route so on boot the gateway will automatically be set to 74.223.8.177
Thanks,
Jerry
2010/5/14 Jerry Geis geisj@pagestation.com:
My current route for a box shows this:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
How do I setup the 74.223.8.176 route so on boot the gateway will automatically be set to 74.223.8.177
GATEWAY=74.223.8.177 on /etc/sysconfig/network file ?
-- Eero
GATEWAY=74.223.8.177 on /etc/sysconfig/network file ?
Actually I have that in the ifcfg-eth1 and ifcfg-eth2. And this is hte route I get.
DEVICE=eth1 ONBOOT=YES BOOTPROTO=static IPADDR=74.223.8.179 NETMASK=255.255.255.240 GATEWAY=74.223.8.177
DEVICE=eth2 ONBOOT=Yes BOOTPROTO=static IPADDR=24.123.23.170 NETMASK=255.255.255.248 GATEWAY=24.123.23.169
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
I dont want 74.X traffic going out 24.X network. I want it going back out the 74.X network. How do I setup the ifcfg-eth files so the GW above will route back out the correct gw?
Jerry
GATEWAY=74.223.8.177 on /etc/sysconfig/network file ?
Actually I have that in the ifcfg-eth1 and ifcfg-eth2. And this is hte route I get.
DEVICE=eth1 ONBOOT=YES BOOTPROTO=static IPADDR=74.223.8.179 NETMASK=255.255.255.240 GATEWAY=74.223.8.177
DEVICE=eth2 ONBOOT=Yes BOOTPROTO=static IPADDR=24.123.23.170 NETMASK=255.255.255.248 GATEWAY=24.123.23.169
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
I dont want 74.X traffic going out 24.X network. I want it going back out the 74.X network. How do I setup the ifcfg-eth files so the GW above will route back out the correct gw?
Jerry
Traffic will already route out the appropriate interface for a directly connected network. So packets to an IP on the 74.223.8.176/28 subnet should route out eth1 and packets to the 24.123.23.168/29 network will route out eth2.
Are you trying to route other subnets within the 74.X.X.X out eth1?
Cj
I dont want 74.X traffic going out 24.X network. I want it going back out the 74.X network.
Maybe the information on this link can help you:
/
/Traffic will already route out the appropriate interface for a directly connected network. So packets to an IP on the 74.223.8.176/28 subnet should route out eth1 and packets to the 24.123.23.168/29 network will route out eth2.
Are you trying to route other subnets within the 74.X.X.X out eth1?
I am trying to get my two WAN ethernet connections into one box to work. Eth2 is cable, eth1 is T1 and eth0 is office LAN. Eth2 works just fine. connections on eth1 dont seem to go anywhere.
I thought it was the routing based on route -n info.
I am also using iptable to preroute and postroute.
Jerry
I am trying to get my two WAN ethernet connections into one box to work.
Eth2 is cable, eth1 is T1 and eth0 is office LAN. Eth2 works just fine. connections on eth1 dont seem to go anywhere.
I thought it was the routing based on route -n info.
I am also using iptable to preroute and postroute.
What exactly does not work? Connecting to what destination IP? Your default route is pointing out eth2. So any traffic to a non-directly connected network will go out eth2. (without some additional static routes) What are you trying to accomplish?
What exactly does not work? Connecting to what destination IP? Your default route is pointing out eth2. So any traffic to a non-directly connected network will go out eth2. (without some additional static routes) What are you trying to accomplish?
I am attempting to have one box with 3 nic's and use NAT to connect to other boxes.
74.X is eth1 24.X is eth2 and 192.X is eth0 I have iptable rules for 24.X:25 to goto 192.X:25 and port 80 also. This works I have iptable ruls for 74.X:25 to goto 192.X:25 and port 80 also. This does not work.
the default route is set for 24.X network and it seems like that is why that network is working. If I change the default route to 74.X then the 74.X network works and the 24.X network stops working.
So that is why I thought the "route -n" showing 0.0.0.0 for the gw on 74.X was perhaps the issue.
I dont seem to be routing for both networks.
THanks,
Jerry
74.X is eth1 24.X is eth2 and 192.X is eth0 I have iptable rules for 24.X:25 to goto 192.X:25 and port 80 also. This works I have iptable ruls for 74.X:25 to goto 192.X:25 and port 80 also. This does not work.
the default route is set for 24.X network and it seems like that is why that network is working. If I change the default route to 74.X then the 74.X network works and the 24.X network stops working.
This sounds more like a destination NAT issue then a routing issue.
If I'm correct you have a server behind eth0 that handles traffic forwarded to it from either eth1 or eth2. So if someone types in the IP address of eth2 (or eth1) in their browser they'll get your server behind eth0. Am I correct?
If so, what you want to look at is something called "destination NAT" or "port forwarding."
Greetings Jerry,
On 5/14/2010 3:45 PM, Jerry Geis wrote:
What exactly does not work? Connecting to what destination IP? Your default route is pointing out eth2. So any traffic to a non-directly connected network will go out eth2. (without some additional static routes) What are you trying to accomplish?
I am attempting to have one box with 3 nic's and use NAT to connect to other boxes.
74.X is eth1 24.X is eth2 and 192.X is eth0 I have iptable rules for 24.X:25 to goto 192.X:25 and port 80 also. This works I have iptable ruls for 74.X:25 to goto 192.X:25 and port 80 also. This does not work.
the default route is set for 24.X network and it seems like that is why that network is working. If I change the default route to 74.X then the 74.X network works and the 24.X network stops working.
So that is why I thought the "route -n" showing 0.0.0.0 for the gw on 74.X was perhaps the issue.
I dont seem to be routing for both networks.
THanks,
Jerry
Since you're routing --- what shows with 'cat /proc/sys/net/ipv4/ip_forward'? If this is 0, I believe you will need to 'echo 1 > /proc/sys/net/ipv4/ip_forward' to enable this bit since you are requesting traffic to enter one interface and forward through to another interface.
Given: 192.x is eth0 / private 24.x is eth2 / public / services smtp and http function 74.x is eth1 / public / services smtp and http does not function
---Does smtp and http function from your 192.x address space?
---If you compare the output of 'netstat -an' is your smtp and http server ONLY listening on 24.x:25 and 24.x:80?
---Previously you supplied a route table of:
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
------
Your route table is pushing 74.223.8.176 THROUGH 0.0.0.0 which is 24.123.23.169. Unless your two providers advertise both networks, you'll need to add a new route for your 74.x provider. Try from the command line adding a new default gw -- 'route add default gw 74.x dev eth1'. When you run 'route -n' again you should find two default routes -- 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2 0.0.0.0 74.x 0.0.0.0 UG 0 0 0 eth1
^^^ The above might help but you will have two equal cost routes which might actually slow your network down for outbound traffic so I would play with metrics also.
Hope this helps!
Bests, Christopher Davis
This sounds more like a destination NAT issue then a routing issue.
If I'm correct you have a server behind eth0 that handles traffic forwarded to it from either eth1 or eth2. So if someone types in the IP address of eth2 (or eth1) in their browser they'll get your server behind eth0. Am I correct?
If so, what you want to look at is something called "destination NAT" or "port forwarding."
-- Drew
Drew,
I have a script that runs that sets all that up.
MYIP="74.223.8.179" GWIP="192.168.1.1"
/sbin/modprobe iptable_nat echo 1 > /proc/sys/net/ipv4/ip_forward
# setup port 22 iptables -t nat -A PREROUTING -p tcp -d $MYIP --dport 22 -j DNAT --to 192.168.1.58:22 iptables -t nat -A POSTROUTING -d 192.168.1.58 -j SNAT --to $GWIP # Setup the port for sendmail iptables -t nat -A PREROUTING -p tcp -d $MYIP --dport 25 -j DNAT --to 192.168.1.58:25 iptables -t nat -A POSTROUTING -d 192.168.1.58 -j SNAT --to $GWIP
Again - i have the same kind of thing for the 24.X network and it works fine.
I searched for "Destination nat" just to make sure I did not miss something and it looks like what I have above.
Thanks,
jerry
I searched for "Destination nat" just to make sure I did not miss something and it looks like what I have above.
Thanks,
jerry
Ok - I found out how to enable iptables logging. I can see a connection from 98.X on port 25 going to .58 as desired. Then we can see that the return is going out eth2 - and - it should be going out eth1 based on postrouting.
May 17 10:30:10 mngateway kernel: IN=eth1 OUT=eth0 SRC=98.220.57.24 DST=192.168.1.58 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=17126 DF PROTO=TCP SPT=49060 DPT=25 WINDOW=5840 RES=0x00 SYN URGP=0 May 17 10:30:10 mngateway kernel: IN=eth0 OUT=eth2 SRC=192.168.1.58 DST=98.220.57.24 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=25 DPT=49060 WINDOW=5792 RES=0x00 ACK SYN URGP=0
Everything on eth2 is working as needed. Incoming gets correctly pre-routed and outgoing gets correctly post-routed. Its just eth1 that is not correctly post-routing.
What have I "uncorrectly configured" so return packets that connect on eth1 go back out eth1?
below are my config lines again.
Jerry
------------- eth0 is internal eth1 is 74.X network eth2 is 24.X network
INTERFACE="eth1" MYIP="74.223.8.179" GWIP="192.168.1.1"
# setup port 22 iptables -t nat -A PREROUTING -i $INTERFACE -p tcp -d $MYIP --dport 22 -j DNAT --to 192.168.1.58:22 iptables -t nat -A POSTROUTING -o $INTERFACE -d 192.168.1.58 -j SNAT --to $GWIP # Setup the port for sendmail iptables -t nat -A PREROUTING -i $INTERFACE -p tcp -d $MYIP --dport 25 -j DNAT --to 192.168.1.58:25 iptables -t nat -A POSTROUTING -o $INTERFACE -d 192.168.1.58 -j SNAT --to $GWIP
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
On 05/17/2010 07:49 AM, Jerry Geis wrote:
Ok - I found out how to enable iptables logging. I can see a connection from 98.X on port 25 going to .58 as desired. Then we can see that the return is going out eth2 - and - it should be going out eth1 based on postrouting.
No, it shouldn't. You cannot accomplish what you are trying to do with only iptables. Since we don't know what host is using 192.168.1.58, it's not even clear that you need iptables at all.
You must use route policies. These are set up by the "ip route" and "ip rule" commands.
I posted an example of how to do multi-homing with shorewall a few days ago: http://lists.centos.org/pipermail/centos/2010-May/094304.html
If you're not familiar with policy based routing, you should definitely be using something like shorewall that can take care of some of this for you.
This document can explain what's going on. http://www.shorewall.net/MultiISP.html
On Fri, May 14, 2010 at 03:02:04PM -0400, Jerry Geis wrote:
GATEWAY=74.223.8.177 on /etc/sysconfig/network file ?
Actually I have that in the ifcfg-eth1 and ifcfg-eth2. And this is hte route I get.
DEVICE=eth1 ONBOOT=YES BOOTPROTO=static IPADDR=74.223.8.179 NETMASK=255.255.255.240 GATEWAY=74.223.8.177
DEVICE=eth2 ONBOOT=Yes BOOTPROTO=static IPADDR=24.123.23.170 NETMASK=255.255.255.248 GATEWAY=24.123.23.169
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
I dont want 74.X traffic going out 24.X network. I want it going back out the 74.X network. How do I setup the ifcfg-eth files so the GW above will route back out the correct gw?
It won't work. You can't have two default gateways. Init scripts first set your gateway via eth1, then parse ifcfg-eth2 (alphabetical) and overwrites previous settings.
On May 15, 2010, at 7:13 AM, Dominik Zyla gavroche@gavroche.pl wrote:
On Fri, May 14, 2010 at 03:02:04PM -0400, Jerry Geis wrote:
GATEWAY=74.223.8.177 on /etc/sysconfig/network file ?
Actually I have that in the ifcfg-eth1 and ifcfg-eth2. And this is hte route I get.
DEVICE=eth1 ONBOOT=YES BOOTPROTO=static IPADDR=74.223.8.179 NETMASK=255.255.255.240 GATEWAY=74.223.8.177
DEVICE=eth2 ONBOOT=Yes BOOTPROTO=static IPADDR=24.123.23.170 NETMASK=255.255.255.248 GATEWAY=24.123.23.169
route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 24.123.23.168 0.0.0.0 255.255.255.248 U 0 0 0 eth2 74.223.8.176 0.0.0.0 255.255.255.240 U 0 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2 0.0.0.0 24.123.23.169 0.0.0.0 UG 0 0 0 eth2
I dont want 74.X traffic going out 24.X network. I want it going back out the 74.X network. How do I setup the ifcfg-eth files so the GW above will route back out the correct gw?
It won't work. You can't have two default gateways. Init scripts first set your gateway via eth1, then parse ifcfg-eth2 (alphabetical) and overwrites previous settings.
True, you can have only one gateway of last resort and the OP needs to pick which one, but you can do policy based routing in iptables, and if reverse NAT is configured I believe incoming connections should work as advertised.
There was a thread just recently discussing solutions for this type of setup.
-Ross
That's funny. We *just* went over this in a thread with the subject "not firewall, but what?". I even posted an example shorewall configuration that does what you're trying to do.
You should either use shorewall, or if you're more familiar with Linux's "ip" command, set up the route-eth1 and route-eth2 and the rules-eth1 and rules-eth2 configuration files.
-
Christopher Davis -
Corey A Johnson -
Dominik Zyla -
Drew -
Eero Volotinen -
Gordon Messmer -
Jerry Geis -
Ramon Nieto -
Ross Walker