Hello,
i have a server with 2 public ips on 2 devices.
I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device
Could i realize this with firewalld? Or directly iptables?
Greeting J
On 12/25/2015 12:44 PM, Joey wrote:
i have a server with 2 public ips on 2 devices.
I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device
Could i realize this with firewalld? Or directly iptables?
No you can not do that via firewalld or iptables. The problem is you have to tell the packets to go out the proper interface which must be done via routing tables. For that purpose you need ip route. I suggest you take a look at
https://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-route...
This link provides a very thorough description of what must be done.
Just a warning is that you will want your routing tables to be maintained across system boots. I put my routes for my bridged interfaces into:
/etc/sysconfig/network-scripts/route-br1 /etc/sysconfig/network-scripts/route-br2
You can put your routes into similar files... just replace the br1/br2 with your appropriate interface names.
On 12/25/2015 12:28 PM, Paul R. Ganci wrote:
you have to tell the packets to go out the proper interface which must be done via routing tables. For that purpose you need ip route. I suggest you take a look at
https://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-route...
ip route and ip rule. That link is fair for generic Linux, but this article describes the configuration files available on Red Hat and derived systems: https://blogs.oracle.com/networking/entry/advance_routing_for_multi_homed
This is half true. Depends on the application or the way that the network traffic is flowing you could use some iptables rules to mark a connection for example by the source MAC address per new connections which would be a specific router and by that mark the connection, then in the routing level decide which default gateway to use for this specific connection. You can take a look at an example that I wrote and modify it to use a MAC address match instead of NFQUEUE at: http://wiki.squid-cache.org/EliezerCroitoru/Drafts/MwanLB#iptables_rules_exa...
The idea is that you mark a new connection from a specific router with a unique mark and then restore the connection mark to force a specific routing table on this mark(IE connection)
Hope it Helps, Eliezer
On 25/12/2015 22:28, Paul R. Ganci wrote:
On 12/25/2015 12:44 PM, Joey wrote:
i have a server with 2 public ips on 2 devices.
I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device
Could i realize this with firewalld? Or directly iptables?
No you can not do that via firewalld or iptables. The problem is you have to tell the packets to go out the proper interface which must be done via routing tables. For that purpose you need ip route. I suggest you take a look at
https://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-route...
This link provides a very thorough description of what must be done.
Just a warning is that you will want your routing tables to be maintained across system boots. I put my routes for my bridged interfaces into:
/etc/sysconfig/network-scripts/route-br1 /etc/sysconfig/network-scripts/route-br2
You can put your routes into similar files... just replace the br1/br2 with your appropriate interface names.
On 12/26/2015 08:16 PM, Eliezer Croitoru wrote:
you could use some iptables rules to mark a connection for example by the source MAC address per new connections which would be a specific router and by that mark the connection, then in the routing level decide which default gateway to use for this specific connection.
While that's true, you still have to select the default route using "ip rule". And since you can do that using the source address for outgoing packets, there's no reason to mark them. It's completely redundant.
On 27/12/2015 22:49, Gordon Messmer wrote:
While that's true, you still have to select the default route using "ip rule". And since you can do that using the source address for outgoing packets, there's no reason to mark them. It's completely redundant.
Can you match the MAC address?? in ip rule? If so it's much simpler then I was estimating.
Eliezer
On 12/27/2015 07:49 PM, Eliezer Croitoru wrote:
On 27/12/2015 22:49, Gordon Messmer wrote:
While that's true, you still have to select the default route using "ip rule". And since you can do that using the source address for outgoing packets, there's no reason to mark them. It's completely redundant.
Can you match the MAC address?? in ip rule? If so it's much simpler then I was estimating.
No, but you don't have to. In the scenario presented, two links with two IP addresses in different broadcast domains, traffic that is sent in response to requests received on the second link/IP address will have the second IP address in the source address field. You can use that as the rule.
Remember that Ethernet and IP are separate technologies. You can make routing policies entirely in the IP layer without mixing in Ethernet stuff like MAC addresses.
I still do not understand something. The thread started with: i have a server with 2 public ips on 2 devices.
I want that the request of incoming traffic dont use the default gateway. Incoming traffic sould be answered using the gateway of the incoming device
Could i realize this with firewalld? Or directly iptables? ##END OF QUOTE
Which means he has 1 server with two gateway devices which each has it's own broadcast space\network. It's not clear to me if there are two gateways in the same broadcast\network or not. if it's on the same network then he must have some routing rules and the issue is not about a specific src address but about a connection.. Now with both of these devices there he has an issue. He sure needs to use basic routing skills to make it work using some metrics if he wants a static routing setup... but when it becomes almost asymmetric it is possible to have a "reverse-path" routing situation which is because the server has two default gateways and not one. For this situation he cannot utilize the source address but only the source mac address unless these 2 devices are some sort reverse proxies which in this case do not require any routing settings at all and not even a default gateway or direct Internet access.
So from what I understood he will need to do some connection marking by the MAC address if these two devices are two routers which does NAT.
Eliezer
On 28/12/2015 09:22, Gordon Messmer wrote:
No, but you don't have to. In the scenario presented, two links with two IP addresses in different broadcast domains, traffic that is sent in response to requests received on the second link/IP address will have the second IP address in the source address field. You can use that as the rule.
Remember that Ethernet and IP are separate technologies. You can make routing policies entirely in the IP layer without mixing in Ethernet stuff like MAC addresses.
On 12/28/2015 04:50 AM, Eliezer Croitoru wrote:
Which means he has 1 server with two gateway devices which each has it's own broadcast space\network. It's not clear to me if there are two gateways in the same broadcast\network or not.
I think it's safe to assume that the two addresses and, necessarily, the gateways, are in separate broadcast domains. However, even if that weren't the case, it is still sufficient to create two routing tables and use "ip rule" to select the appropriate table (and the gateway it specifies) based on the source address of the packet being routed.
Just to walk you through it, assume his server has two addresses in separate broadcast domains. The first interface has 1.2.3.4/24 with gateway 1.2.3.1. The second interface has 2.3.4.5/24 with gateway 2.3.4.1.
Now, a host at 192.0.2.2 initiates a connection. It sends a TCP SYN packet to 1.2.3.4. The server receives that packet and sends a TCP SYN/ACK to 192.0.2.2. The source address of that packet is 1.2.3.4. A rule exits that matches packets from 1.2.3.4 and selects the first routing table, where the default gateway is 1.2.3.1.
Later, a host at 198.51.100.3 initiates a connection. It sends a TCP SYN packet to 2.3.4.5. The server receives that packet and sends a TCP SYN/ACK to 198.51.100.3. The source address of that packet is 2.3.4.5, since that is the address that the SYN was sent to. A rule exists on the server that matches packets from 2.3.4.5 and selects the second routing table, where the default gateway is 2.3.4.1.
if it's on the same network then he must have some routing rules and the issue is not about a specific src address but about a connection..
You wouldn't normally have two addresses on two interfaces in the same broadcast domain. You'd probably bond the interfaces instead. But if you did, it wouldn't change the process. Reply packets will still have their source address set to the same address that received the request, and you'd still be able to specify the routing table based on that address.
So, again, you *can* mark connections and select a route that way, but it's slower and more complex than using information that's already available. There's simply no reason to do that in a standard multi-homed setup.
On 26/12/15 06:44, Joey wrote:
Hello,
i have a server with 2 public ips on 2 devices.
This is most likely what you are after:
Routing for multiple uplinks/providers - http://lartc.org/howto/lartc.rpdb.multiple-links.html
Cheers, ak.
-
Anthony K -
Eliezer Croitoru -
Gordon Messmer -
Joey -
Paul R. Ganci