iptables NAT iproute2 – Advanced Routing Problem Solutions

iproute2iptablesnat;

I have 2 internet links using 2 ADSL routers and I need to give access to the Internet for the 192.168.0.0/24 network.

I have to route outgoing traffic based on port number, protocol, …
using iproute2 and iptables on a linux router.

This is my network:

     (ISP-1)                              (ISP-2)
Dynamic public IP                    Dynamic public IP 
        |                                    |
+---------------+                    +---------------+
|ADSL Router (1)|                    |ADSL Router (2)|
+---------------+                    +---------------+
        |                                    |
   192.168.1.1                          192.168.2.1
        |                                    |
        |                                    |
        |                                    |
        |        +------------------+        |
        |        |                  |        |
   192.168.1.2 --|eth1          eth2|-- 192.168.2.2
                 |                  |
                 |   Linux Router   |
                 |                  |
                 |       eth0       |
                 +------------------+
                          |
                     192.168.0.1
                          |
                          |
                    Local Network:
                    192.168.0.0/24

I use the following script to setup the network configuration on the Linux router:

#!/bin/bash

echo 1 >| /proc/sys/net/ipv4/ip_forward
echo 0 >| /proc/sys/net/ipv4/conf/all/rp_filter

# flush all iptables entries
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT

# marking packets
iptables -t mangle -A PREROUTING -i eth0 -p icmp -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -p udp  -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -p tcp  -j MARK --set-mark 2

# create routing tables and default routes
echo '1     ISP1' >> /etc/iproute2/rt_tables
echo '2     ISP2' >> /etc/iproute2/rt_tables
ip route add default via 192.168.1.1 dev eth1 table ISP1
ip route add default via 192.168.2.1 dev eth2 table ISP2

# routing based on previous marks
ip rule add fwmark 1 table ISP1
ip rule add fwmark 2 table ISP2

ip route flush cache

# NAT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE

The problem is that I can't connect to the internet from the 192.168.0.0/24 network.

When I ping from this network to a remote server I can see (using Wireshark) replies returning back from the remote server to eth1 of the Linux router, but they don't reach out eth0.

Please help. And Thanks in advance.

(EDIT)

I tried troubleshooting this weird issue for a week.

Troubleshooting commands output:

ip rule
0:  from all lookup local 
32764:  from all fwmark 0x1 lookup ISP1
32765:  from all fwmark 0x2 lookup ISP2 
32766:  from all lookup main 
32767:  from all lookup default 

ip route show table ISP1
default via 192.168.1.1 dev eth1

ip route show table ISP2
default via 192.168.2.1 dev eth2

ip route show table main
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.2
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
169.254.0.0/16 dev eth0  scope link  metric 1000 
default via 192.168.1.1 dev eth1  metric 100

I can solve this problem partially by typing the following commands:

ip rule del fwmark 1 table ISP1
ip rule del fwmark 2 table ISP2
ip rule add from 192.168.0.0/24 table ISP1

So I get all traffic from local network routed correctly trough ISP1 link and all PCs get Internet access.

But i am interested in routing based on packets marks.

Best Answer

After a lot of hard work I finally found what was the problem.

In fact it is not a routing problem, the script is correct but something is missing.

This command is not enough to disable rp_filter:

echo 0 >| /proc/sys/net/ipv4/conf/all/rp_filter

So the traffic returning back from Internet was drop at eth1 and eth2.

When I disabled rp_filter explicitly for both interfaces by adding the following commands:

echo 0 >| /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 >| /proc/sys/net/ipv4/conf/eth2/rp_filter

The problem was solved and I get everything working perfectly.

The proof that Linux tutorials and documentation are not always completes.

Related Solutions

Firewall – Multiple interface NAT routing

These rules probably don't do what you want. The first rule permits any new connection from eth1 and eth2, the second permits everything from eth0 and eth1. This appears to permit everything from any interface basically making your firewall pointless.

iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth2 -j ACCEPT

You may mean this instead.

iptables -A INPUT -m state --state NEW -i eth1 -j ACCEPT

Anyway, instead of adding things to rc.local I would probably update your /etc/network/interfaces to look like this. I am making some guesses about what you have for masks, so be sure to check and update. You probably should be adding all of the link routes to the fiber table.

auto eth0
iface eth0 inet static
  address 192.168.1.2
  netmask 255.255.255.0
  network 192.168.1.0
  broadcast 192.168.1.255
  gateway 192.168.1.1
  up ip route add table fiber scope link proto kernel dev eth0 192.168.1.0/24

auto eth1
iface eth1 inet static
  address 10.254.239.1
  netmask 255.255.255.0
  network 10.254.239.0
  broadcast 10.254.239.255
  up ip route add table fiber scope link proto kernel dev eth1 10.254.239.0/24

auto eth2
iface eth2 inet static
  address 20.20.20.22
  netmask 255.255.255.252
  network 20.20.20.20
  broadcast 20.20.20.23
  up ip route add table fiber scope link proto kernel dev eth2 20.20.20.20/30
  up ip route add default via 20.20.20.21 table fiber
  up ip rule add fwmark 2 table fiber

Linux – Redirecting IP traffic to tun0 using iptables

Using the same network address on two interfaces is asking for trouble. I'd renumber the tun0 network, then set up NAT to deal with the fallout. With tun0 set up between 192.168.0.1 (local) and 192.168.0.2 (remote):

iptables -t nat -I PREROUTING -d 10.68.195.78 -j DNAT --to-dest 192.168.0.2

This still requires that packets for 10.68.195.78 arrive at this host, so all hosts (or at least those that need to contact the box on the other side) on this network need

ip r a 10.68.195.78 via 10.68.195.23

Alternatively, you can use proxy ARP, but that is generally messy.

In addition, the box on the other side needs to have its default route point to the tunnel so returning packets go the same way; you can also add a SNAT rule in POSTROUTING to make all connections appear to the other box as from the other tunnel endpoint:

iptables -t nat -I POSTROUTING -d 10.68.195.78 -j SNAT --to-source 192.168.0.1

Best Answer

Related Solutions

Firewall – Multiple interface NAT routing

Linux – Redirecting IP traffic to tun0 using iptables

Related Topic