Ubuntu Iptables Dual Wan – Forward wan 1 & 2 to an internal server

firewalliprouteiptablesUbuntu

I'm having problems configuring iptables rules on a double wan setup. The OS is Ubuntu 12.04 LTS.

I have 2 Wan connections, both with static IP. Wan-1 is on eth2, Wan-2 is on eth4. I want both of them to forward to the same internal servers.

Wan-1 rules are working, and I can access all internal servers without problem, but I can't access servers when using Wan-2.

Wan-1: (not the real IP addresses)

IP: 17.13.12.90
CIDR: 17.13.12.90/29
Netmask: 255.255.255.248
Gateway: 17.13.12.89

Wan-2: (not the real IP addresses)

IP: 17.13.12.174
CIDR: 17.13.12.174/29
Netmask: 255.255.255.248
Gateway: 17.13.12.169

Wan-1 (eth2) is the current default gateway, everything is working here. I can access internal servers from the internet. No problems. I can ping it from the outside and connect via SSH.

Wan-2 (eth4) is the new wan connection I'm setting up. I can ping it from the outside and connect via SSH to it. But I can't connect to internal servers from this IP.

Local network is eth0.

My /etc/iproute2/rt_tables file looks like this:

#
# reserved values
#
255 local
254 main
253 default
0   unspec
#
# local
#
10  isp1
20  isp2

This are the ip rules I've setup:

ip route add 17.13.12.88 dev eth2 src 17.13.12.90 table isp1
ip route add default via 177.135.127.89 table isp1
ip route add 17.22.17.168 dev eth4 src 17.22.17.174 table isp2
ip route add default via 17.22.17.169 table isp2

ip route add 17.13.12.88 dev eth2 src 17.13.12.90
ip route add 17.22.17.168 dev eth4 src 17.22.17.174

ip route add default via 17.13.12.89

ip rule add from 17.13.12.90 table isp1
ip rule add from 17.22.17.174 table isp2
ip rule add fwmark 0x1 table isp1
ip rule add fwmark 0x2 table isp2

This is the iptables rules, concerning the mangle table:

$IPT -t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark

# Input rules
$IPT -t mangle -A INPUT -i $IF_ETH2 -p tcp -j MARK --set-mark 0xa
$IPT -t mangle -A INPUT -i $IF_ETH4 -p tcp -j MARK --set-mark 0xb

$IPT -t mangle -A PREROUTING -i $IF_ETH0 -m mark --mark 0xa -p tcp -j MARK --set-mark 0x1
$IPT -t mangle -A PREROUTING -i $IF_ETH0 -m mark --mark 0xb -p tcp -j MARK --set-mark 0x2

# output rules
$IPT -t mangle -A OUTPUT -m mark --mark 0xa -p tcp -j MARK --set-mark 0x1
$IPT -t mangle -A OUTPUT -m mark --mark 0xb -p tcp -j MARK --set-mark 0x2

Could someone please point me/help me out why aren't connexions coming from wan-2 being forward to the internal servers? The rules seem ok, but maybe I'm missing something.

Best Answer

At the moment I'm using the following settings. Let's assume 192.168.127.10 it's our internal server and xxx.xxx.xxx.xxx/yyy.yyy.yyy.yyy ip addresses of wan1/wan2

# iptables -t mangle -I PREROUTING -s 192.168.127.10 -m conntrack --ctorigdst xxx.xxx.xxx.xxx -j MARK --set-mark 0x3e8
# iptables -t mangle -I PREROUTING -s 192.168.127.10 -m conntrack --ctorigdst yyy.yyy.yyy.yyy -j MARK --set-mark 0x7d0

# ip ru add fwmark 0x3e8 lookup ISP1 prio 1000
# ip ru add fwmark 0x7d0 lookup ISP2 prio 2000

Setup default policy base routing

# cat /root/routing/set_default_routing.sh
#!/bin/sh

IP1='xxx.xxx.xxx.xxx'
IF1='eth2'
P1='xxx.xxx.xxx.1'
P1_NET='xxx.xxx.xxx.0/29'

IP2='yyy.yyy.yyy.yyy'
IF2='eth4'
P2='yyy.yyy.yyy.25'
P2_NET='yyy.yyy.yyy.0/29'

/sbin/ip route add $P1_NET dev $IF1 src $IP1 table ISP1
/sbin/ip route add default via $P1 table ISP1

/sbin/ip route add $P2_NET dev $IF2 src $IP2 table ISP2
/sbin/ip route add default via $P2 table ISP2

/sbin/ip rule add from $IP1 table ISP1
/sbin/ip rule add from $IP2 table ISP2

/sbin/ip route add default via $P1
/sbin/ip route flush cache

P.S. don't forget to disable reverse path filter

# echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter

Add the following line to the /etc/sysctl.conf

net.ipv4.conf.default.rp_filter = 0

Related Solutions

Linux – Redirecting IP traffic to tun0 using iptables

Using the same network address on two interfaces is asking for trouble. I'd renumber the tun0 network, then set up NAT to deal with the fallout. With tun0 set up between 192.168.0.1 (local) and 192.168.0.2 (remote):

iptables -t nat -I PREROUTING -d 10.68.195.78 -j DNAT --to-dest 192.168.0.2

This still requires that packets for 10.68.195.78 arrive at this host, so all hosts (or at least those that need to contact the box on the other side) on this network need

ip r a 10.68.195.78 via 10.68.195.23

Alternatively, you can use proxy ARP, but that is generally messy.

In addition, the box on the other side needs to have its default route point to the tunnel so returning packets go the same way; you can also add a SNAT rule in POSTROUTING to make all connections appear to the other box as from the other tunnel endpoint:

iptables -t nat -I POSTROUTING -d 10.68.195.78 -j SNAT --to-source 192.168.0.1

Iptables – Load balancing network traffic using iptables

Here's another approach. Instead of marking connections based upon packet count and hoping they don't get reinitialized, duplicated, or otherwise altered, just divide the packets up by source or destination IP. For any sufficiently large set of connections, you should have about a 50-50 spread.

I'm posting the following as a drop-in replacement, but you can probably do away with the CONNMARK logic altogether with a bit more tinkering.

iptables -t mangle -A PREROUTING -m state --state NEW \
    -d 0.0.0.0/0.0.0.1 -j CONNMARK1
iptables -t mangle -A PREROUTING -m state --state NEW \
    -d 0.0.0.1/0.0.0.1 -j CONNMARK2

You could also change the destination to source if there's more variance in source IPs, or even combine them into a bracket. (odd/odd or even/even are CONNMARK1, odd/even or even/odd are CONNMARK2).

Best Answer

Related Solutions

Linux – Redirecting IP traffic to tun0 using iptables

Iptables – Load balancing network traffic using iptables

Related Topic