Ssh – iptables with DNAT and multiple gateways: How to route replies to correct gateway

dnatgatewayiptablesroutingssh

I have a problem setting up iptables rules and routes on a Linux client for a scenario with DNAT and multiple gateways:

We have two gateways to the Internet. The first has a fixed IP, the second offers a better bandwidth. Both gateways do SNAT for outgoing traffic from our private network.

On the first gateway with the fixed IP I've set up port forwarding for port 22 so that all SSH traffic will be forwarded to my Linux client.

That works fine.

But only if I use this first gateway as default route on the Linux client.

When I switch the Linux client to the second gateway as default route, incoming SSH connections no longer work.

How can I setup the Linux client to send reply packets related to incoming SSH connections to the first gateway, but all other traffic to the second gateway?

Best Answer

I found a solution in the accepted answer to the question "Route return traffic to correct gateway depending on service".

I've implemented these rules on my Linux client:

# Default route is second gateway:
ip route add default via 10.0.0.2

# Create a routing table "FIXED" using our fixed IP gateway
echo "200 FIXED" >>/etc/iproute2/rt_tables
ip route add default table FIXED via 10.0.0.1

# Create a rule to route any packets marked "42" through FIXED:
ip rule add fwmark 42 table FIXED

# Finally, the iptables rule:
# Any outgoing traffic from source port 22 of my Linux client
# that has a destination inside our private network (10.0.0.0/24)
# is marked "42" (and therefore goes to FIXED):
iptables -t mangle -A OUTPUT ! -d 10.0.0.0/24 \
                             -p tcp -m tcp --sport 22 \
                             -j MARK --set-mark 42

Related Solutions

Linux Routing – Route Return Traffic to Correct Gateway Depending on Service

If I am understanding your intentions correctly, you want your webserver to normally use ISP-2 as its default gateway for outgoing traffic, with the exception of its responses to external web requests, which must transit via ISP-1 instead. Here is a sketch of a solution using policy routing:

echo "101 webtraffic" >> /etc/iproute2/rt_tables

ip route add default table webtraffic via $ISP1_GW_LAN_IP
ip rule add fwmark 1 table webtraffic
iptables -t mangle -A OUTPUT -d \! $LAN_NET_PREFIX \
                             -p tcp -m tcp --sport 443 \
                             -j MARK --set-mark 1

where:

LAN_NET_PREFIX is your LAN's network prefix (e.g. 192.168.100.0/24), and
ISP1_GW_LAN_IP is the LAN IP address of your gateway to ISP-1 (e.g. 192.168.100.100).

The first ip command sets the default route on the webtraffic table to your ISP-1 gateway, and the second ensures that packets marked 1 are routed using the webtraffic table. Finally, the iptables rule marks the appropriate outgoing packets, ensuring that their next hop will be towards ISP-1.

Here is an alternate solution that uses an experimental iptables module, the ROUTE target:

iptables -t mangle -A POSTROUTING -d \! $LAN_NET_PREFIX \
                                  -p tcp -m tcp --sport 443 \
                                  -j ROUTE --gw $ISP1_GW_LAN_IP

This rule would override the routing decision for outgoing web response packets, sending them to your ISP-1 gateway, instead of to the default ISP-2. All other traffic, including web responses to clients on your LAN, would not be affected. As has been pointed out in the comments, the ROUTE target is very likely not to be implemented on any system that has not explicitly patched it into the kernel, since it is experimental.

UFW/IPTables – How to Securely Allow Authenticated Git Access with GitHub

You're trying to connect with SSH, and that (appears to be) allowed, so it's time to diagnose the problem. I like to add a LOG rule just before I drop any packets, so I know exactly what's being dropped. Otherwise, a bit of tcpdump action should identify the traffic that's not going anywhere. Once you know what's being dropped, it's a trivial matter to add the necessary rules to allow it.

Best Answer

Related Solutions

Linux Routing – Route Return Traffic to Correct Gateway Depending on Service

UFW/IPTables – How to Securely Allow Authenticated Git Access with GitHub

Related Topic