On 12/28/2015 01:19 AM, Александр Кириллов wrote:
Are you sure? You assume the destination of the incoming traffic is > the gateway. What if it isn't?
Can you explain what you mean? Not only am I not assuming that, I can hardly conceive of any situation in which a host will receive traffic for its own gateway.
On 28/12/2015 22:47, Gordon Messmer wrote:
Can you explain what you mean? Not only am I not assuming that, I can hardly conceive of any situation in which a host will receive traffic for its own gateway.
... Basic 1:1 NAT ... you have two gateways while you have two ip addresses or one on the interface. Just to illustrate the issue: AWS instance with two interfaces which have two ip addresses NATTED to them by AWS front tier using some kind of virtual gateway.
Eliezer
* Now I am sure that you didn't understood the situation\network as I am!
On 12/29/2015 07:18 AM, Eliezer Croitoru wrote:
... Basic 1:1 NAT ... you have two gateways while you have two ip addresses or one on the interface. Just to illustrate the issue: AWS instance with two interfaces which have two ip addresses NATTED to them by AWS front tier using some kind of virtual gateway.
I'm struggling to understand what you meant when you said that the destination is the gateway. If you just mean that the traffic is NATed, then again, I was not assuming that in any of my explanations.
A host with two addresses and two NAT gateways would apply routing policy just like one that isn't behind NAT gateways. In that configuration, NAT isn't relevant.
Now, if you had a host with just one address that was behind two different NAT routers, then that would be a configuration that might require marking connections based on the MAC address of incoming packets, and applying rules based on those marks. However, such a configuration is broken in several different ways, and connection marking just digs that hole deeper. Don't do this.
At some point, I'd remind you of the advice of Dr Robert Anthony: "“If you find a good solution and become attached to it, the solution may become your next problem."
I may not understood\interpreted the scenario pretty well. I will try again: "i have a server with 2 public ips on 2 devices." He has two servers or two gateways or both??
"I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device " How to interpret this sentence??? The scenario I can think of is that these servers have more then one gateway and in this case it's really unclear to me if the gateways are serving the same networks or not. From what I understood in this situation he wants to prevent a reverse path routing or in another words he wants the connection that comes from some host and gateway(which is unknown) to be returned\continued using this same gateway. So it's really unclear(to me) if it's routing includes two gateways for the same network and some routing protocol that allows that or another option.
In any case since he spoke about "incoming" traffic which to my basic and simple understanding means the whole Internet he cannot use basic routing settings to do that *unless* he can predict that all incoming traffic is going to be from a specific gateway. Again I understood that he doesn't know which gateway the traffic will come from but he wants to preserve the reverse path to them.
If he will bother to clear it out I will continue to respond and if not... well it's clear that there are couple possibilities to the scenario and I was referring to a specific one.
So in any case I will add that in the past the linux kernel implemented a routing cache which was removed somewhere in the 3.X versions and while it existed it was so that if someone was contacting a server that had this kernel the routing cache was causing a weird scenario which the kernel would route traffic using the same gateway as long as the cache entry exists. However in the kernels which this cache was removed a Packet By Packet routing decision is being made and unless you can know who are all your clients you cannot predict their routing path using a simple static linux routing setup and you would be required to choose some other alternative. --- I don't know really who Dr Robert Anthony is but his words are true only for specific and understood scenarios which I can understand and interpret. The situation is that I still do not understand it and I tried to answer a specific scenario which I think applies to couple of them.
All The Bests, Eliezer
On 29/12/2015 22:39, Gordon Messmer wrote:
Now, if you had a host with just one address that was behind two different NAT routers, then that would be a configuration that might require marking connections based on the MAC address of incoming packets, and applying rules based on those marks. However, such a configuration is broken in several different ways, and connection marking just digs that hole deeper. Don't do this.
At some point, I'd remind you of the advice of Dr Robert Anthony: "“If you find a good solution and become attached to it, the solution may become your next problem." ___________________________________________
On 12/30/2015 12:44 AM, Eliezer Croitoru wrote:
"I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device "
I'm sorry but I have been following this thread for a while and everything that Gordon (and I mentioned in my first post) is accurate. This is a routing problem not a NATing problem. Even if it can be handled via NATing (which I serious doubt) it would require ridiculous server resources which are not necessary. Please look at our links carefully, This problem is simply handled by proper routing rules. Whether those are implemented via my suggested generic linux rules or via the Redhat specific rules Gordon suggested that is the proper way to handle the problem. I too am puzzled by what you are trying to do here otherwise.
And just for the record I have a server with two interfaces on the same broadcast network and did exactly what I showed in the link I sent and got exactly what I wanted. From this single sentence you seem to want to do what either Gordon or I suggested in the links we sent. Why do you insist on playing with iptables when that is not the proper tool for this job?
On 30/12/2015 10:22, Paul R. Ganci wrote:
On 12/30/2015 12:44 AM, Eliezer Croitoru wrote:
"I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device "
I'm sorry but I have been following this thread for a while and everything that Gordon (and I mentioned in my first post) is accurate. This is a routing problem not a NATing problem. Even if it can be handled via NATing (which I serious doubt) it would require ridiculous server resources which are not necessary. Please look at our links carefully, This problem is simply handled by proper routing rules. Whether those are implemented via my suggested generic linux rules or via the Redhat specific rules Gordon suggested that is the proper way to handle the problem. I too am puzzled by what you are trying to do here otherwise.
And just for the record I have a server with two interfaces on the same broadcast network and did exactly what I showed in the link I sent and got exactly what I wanted. From this single sentence you seem to want to do what either Gordon or I suggested in the links we sent. Why do you insist on playing with iptables when that is not the proper tool for this job?
I do not insist on anything else then there are missing things in the picture... it is that simple nothing more then that. If the thread poster will bother to clear the picture then I will be able to understand. I do not want anything and I do not need anything for me, my servers and routing works just great but the thread started by someone which is not here anymore so if everything works for me and if everything works for you and Gordon I really do not think any more time or words should be invested in something that is unclear at-least to me.
Eliezer
Hello,
i follow your discussion. The first 2 posts using multiple default routes solve my problem perfect.
Thank you all.
J
Am 2015-12-30 17:21, schrieb Eliezer Croitoru:
On 30/12/2015 10:22, Paul R. Ganci wrote:
On 12/30/2015 12:44 AM, Eliezer Croitoru wrote:
"I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device "
I'm sorry but I have been following this thread for a while and everything that Gordon (and I mentioned in my first post) is accurate. This is a routing problem not a NATing problem. Even if it can be handled via NATing (which I serious doubt) it would require ridiculous server resources which are not necessary. Please look at our links carefully, This problem is simply handled by proper routing rules. Whether those are implemented via my suggested generic linux rules or via the Redhat specific rules Gordon suggested that is the proper way to handle the problem. I too am puzzled by what you are trying to do here otherwise.
And just for the record I have a server with two interfaces on the same broadcast network and did exactly what I showed in the link I sent and got exactly what I wanted. From this single sentence you seem to want to do what either Gordon or I suggested in the links we sent. Why do you insist on playing with iptables when that is not the proper tool for this job?
I do not insist on anything else then there are missing things in the picture... it is that simple nothing more then that. If the thread poster will bother to clear the picture then I will be able to understand. I do not want anything and I do not need anything for me, my servers and routing works just great but the thread started by someone which is not here anymore so if everything works for me and if everything works for you and Gordon I really do not think any more time or words should be invested in something that is unclear at-least to me.
Eliezer _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I'm struggling to understand what you meant when you said that the destination is the gateway. If you just mean that the traffic is NATed, then again, I was not assuming that in any of my explanations.
I said that, assuming the host with 2 public ips mentioned in the OP could be the gateway for a lan as I suspect routing based on source address that you suggested will not work for transit traffic. There's a routeback option in shorewall which probably does what the OP wants but I have no idea how to achieve this with firewalld or iptables.
-
Eliezer Croitoru -
Gordon Messmer -
Joey -
Paul R. Ganci -
Александр Кириллов