/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
It can be done. I too have DSL and Cable. Cable being much faster than
DSL is
the default route. But DSL supports serving information so it is the
default
route back for traffic, because you need all traffic that came in for
Cable
going back out Cable and in for DSL back out on DSL. Too many providers
will
drop packets with source addresses not in the right range for security
reasons.
Here is how I set my stuff up, it may not be ideal but IT WORKS!!
I have many extra routing tables that set defaults for different
situations
eth0 - Cable (with multiple IPs, non routable)
eth1 - DSL (with multiple routable IPs, call them DSLNetIPs)
eth2 - Internal machines 192.168.124.1 and .2 and .3
eth3 - External servers 192.168.125.1 and 2 CableIPs (not main) and 2
DSLNetIPs
2 - default route via Cable src CableIP
3 - default route via DSL src DSLIP
5 - default route via eth2 src 192.168.124.1
6 - default route via eth3 src 192.168.125.1
7 - default route via eth3 src CableIP
8 - default route vai eth3 src DSLNetIP
I then added some rules based on the 'to' address being 192.168.124.* or
192.168.125.* to route using the table 5 or 6
I then added rules based on the 'to' address being any one of my Cable
address
to use table 7, and likewise for my DSLNetIPs to route via table 8
This then has all inbound traffic going to the right cards with correct
routing
Then I added appropriate From rules that route back out the appropriate
eth0/eth1 interface depending on the source address.
WORKS LIKE A CHARM! No load balancing or anything, but in a flash I can
reassign my basic default route to either cable or DSL, and relatively
quickly
move over if one of the lines should fail. Nothing automatic yet, but I
am
working on it!
Daniel Jay wrote:
> /* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
> /* ALSO: Don't quote this header. It makes you look lame :-) */
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I'm sorry if this is to the wrong emailing list, if it is, please
> directly me where to post this question.
>
> I'm going to start this email with saying I _think_ I've read
> everything I can get my hands on about this subject, I've tried every
> example I can find, with no luck. The second issue is that I can not
> upgrade to netfilter/iptables because one of the applications I need
> requires "loose udp routing". Either the examples in the mailing
> list do not apply or I must be doing something wrong.
>
> Here is my problem, everything "works" but _all_ traffic goes out the
> 207.152.31.185 internet connection. Here is what I need to happen,
> when somebody connects to 216.254.12.42 port 80 that all traffic for
> that "session" be answered back as 216.254.12.42 plus go out that
> internet connection.
>
> At this point in time I'm almost willing to do anything. Any
> suggestions (or commands) to try would be very helpful, or a how-to.
>
> Here is my basic setup and config:
>
> I have 2 internet connections and 1 LAN private address space to
> place all my computers on.
>
> This is my LAN connection
> /sbin/ifconfig eth0 192.168.181.254 netmask 255.255.255.0
>
> My first internet connection:
> /sbin/ifconfig eth1 207.152.31.185 netmask 255.255.255.0
>
> And my SDSL connection:
> /sbin/ifconfig eth2 216.254.12.42 netmask 255.255.255.0
>
> Then my gateway command: (Since I want traffic for right now to
> default out the First internet connection since it's faster):
> /sbin/route add default gw 207.152.31.1 netmask 0.0.0.0 metric 1
>
> Now I have a number of "static ip address" for each of my internet
> connections so I add those:
> /sbin/ip addr add 207.152.31.128 dev eth1
> /sbin/ip addr add 207.152.31.127 dev eth1
> /sbin/ip addr add 216.254.12.41 dev eth2
>
> Now I start to setup IPChains:
> /sbin/modprobe ip_masq_ftp
> /sbin/modprobe ip_masq_raudio
> /sbin/modprobe ip_masq_irc
> /sbin/modprobe ip_masq_quake 26000,27000,27910,27960
> echo "1" > /proc/sys/net/ipv4/ip_forward
> echo "1" > /proc/sys/net/ipv4/ip_always_defrag
> /sbin/ipchains -M -S 7200 10 160
> /sbin/ipchains -P forward DENY
> /sbin/ipfwadm -F -a masquerade -W eth1 -S 192.168.181.0/24 -D
> 0.0.0.0/0
> /sbin/ipfwadm -F -a masquerade -W eth2 -S 192.168.181.0/24 -D
> 0.0.0.0/0
>
> Now, I have a number of services behind running on machine on the
> private address space so I portfwd those:
> /usr/sbin/ipmasqadm portfw -f
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.185 1701 -R
> 192.168.181.245 1701
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 1701 -R
> 192.168.181.245 1701
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.185 1702 -R
> 192.168.181.251 1702
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 1702 -R
> 192.168.181.251 1702
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 80 -R
> 192.168.181.251 80
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 80 -R
> 192.168.181.250 80
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 80 -R
> 192.168.181.250 80
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 22 -R
> 192.168.181.250 22
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 22 -R
> 192.168.181.251 22
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 53 -R
> 192.168.181.251 53
> /usr/sbin/ipmasqadm portfw -a -P udp -L 207.152.31.128 53 -R
> 192.168.181.251 53
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 216.254.12.42 53 -R
> 192.168.181.251 53
> /usr/sbin/ipmasqadm portfw -a -P udp -L 216.254.12.42 53 -R
> 192.168.181.251 53
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.128 25 -R
> 192.168.181.251 25
> /usr/sbin/ipmasqadm portfw -a -P tcp -L 207.152.31.127 25 -R
> 192.168.181.250 25
>
> Then I block some annoying people who like to scan my boxes:
> /sbin/ipfwadm -I -a reject -S 209.15.4.251/32 -D 0.0.0.0/0 -o
> /sbin/ipfwadm -I -a reject -S 129.62.102.40/32 -D 0.0.0.0/0 -o
> /sbin/ipfwadm -I -a reject -S 24.64.188.99/32 -D 0.0.0.0/0 -o
>
> Now thats my current setup.
>
> - -------------------
> JayC Daniel
> Senior Security Engineer
> Security Integration
> HCAHealthcare
> 615-344-6988
> [EMAIL PROTECTED]
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOpaQyms8MgTkO0sjEQLncwCeOqymC6znnQFtSrLwTTxxC1r8PaIAn0UB
> ziItg0KN6W+gArLz+VPIR9cf
> =968C
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Masq maillist - [EMAIL PROTECTED]
> Admin requests can be handled at http://www.indyramp.com/masq-list/ --
> THIS INCLUDES UNSUBSCRIBING!
> or email to [EMAIL PROTECTED]
>
> PLEASE read the HOWTO and search the archives before posting.
> You can start your search at http://www.indyramp.com/masq/
> Please keep general linux/unix/pc/internet questions off the list.
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
