Re: advanced routing q
On Thu, Sep 6, 2012 at 10:18 PM, shimi linux...@shimi.net wrote: On Wed, Sep 5, 2012 at 8:28 AM, Erez D erez0...@gmail.com wrote: On Mon, Aug 20, 2012 at 10:52 AM, shimi linux...@shimi.net wrote: On Aug 20, 2012 9:34 AM, Erez D erez0...@gmail.com wrote: hello i have a server with two eth ports, each connects to a different router, and then to the internet. i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it i want connections TCP coming from all over the internet to the second router(eth1), to be accepted. the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established. i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ? Are the two ports on the same netblock? what do you mean by that ? I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're both on the same network block. of course they are not on the same network. not so smart to have two interfaces with same network - unless you do static routing, you depend on the order of the interfaces coming up ... If so, can they be separated to two non overlapping blocks? didn't get that So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other would be 10.1.3.3 with netmask 255.255.255.0 i have many clients from many differnet ips connecting to my server. the server has two eth interfaces, with many ports open. there is no relation between eth and port, the same port can receive connections from either interface. i just want to route the relayed packets of the same connection to the eth the syn packet came from. So, the solution I gave you in the original mail is supposed to work. I only forgot one word in the command I gave over mobile, so now I'll give the full solution when it's easier to type. Variables (assumptions) : IP address currently going through DGW that shouldn't be: 1.2.3.4 Alternative gateway for 1.2.3.4: 1.2.3.254 1.2.3.4 and 1.2.3.254 are on the same network. for youe example above, it would be 10.1.2.254 and 10.1.3.254 First, create an alternative routing table for traffic coming from the IP that is not supposed to go to the default GW: # ip route add 0.0.0.0/0 via 1.2.3.254 table 200 Then, ask Linux to use that routing table whenever the source of the traffic is from 1.2.3.4: # ip rule add from 1.2.3.4 table 200 although the packet will come from router 1.2.3.4 , the source ip on the packet are not 1.2.3.4, so this rule is uselsss (i also checked it and it didn't work) i tried also: ip rule add dev eth1 table 200 - didn't work either the syntax does not allow me to write 'ip rule add from dev eth1...' - i.e. can't add 'from' so i guess i need to tag the packes some way with a iptables rule, and then add an 'ip rule' or maybe somone knows of a better way. thanks shimi. erez. 200 is an arbitrary number. You could use an alias for it to look nicer; If you want that, you can alias a name to a number by editing /etc/iproute2/rt_tables. There are examples there you can copy from. If you have an alias for the number, you can use it in both the ip route and ip rule commands, instead of the number. That's it, I believe. If it still doesn't work, you may be looking at the route cache. You can wait some time, or issue an: # ip route flush cache If it still doesn't work (or commands fail...), be sure to have iproute2 utilities and support in the kernel. Good luck, -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: advanced routing q
On Sun, Sep 9, 2012 at 10:28 AM, Erez D erez0...@gmail.com wrote: On Thu, Sep 6, 2012 at 10:18 PM, shimi linux...@shimi.net wrote: On Wed, Sep 5, 2012 at 8:28 AM, Erez D erez0...@gmail.com wrote: On Mon, Aug 20, 2012 at 10:52 AM, shimi linux...@shimi.net wrote: On Aug 20, 2012 9:34 AM, Erez D erez0...@gmail.com wrote: hello i have a server with two eth ports, each connects to a different router, and then to the internet. i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it i want connections TCP coming from all over the internet to the second router(eth1), to be accepted. the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established. i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ? Are the two ports on the same netblock? what do you mean by that ? I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're both on the same network block. of course they are not on the same network. not so smart to have two interfaces with same network - unless you do static routing, you depend on the order of the interfaces coming up ... If so, can they be separated to two non overlapping blocks? didn't get that So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other would be 10.1.3.3 with netmask 255.255.255.0 i have many clients from many differnet ips connecting to my server. the server has two eth interfaces, with many ports open. there is no relation between eth and port, the same port can receive connections from either interface. i just want to route the relayed packets of the same connection to the eth the syn packet came from. So, the solution I gave you in the original mail is supposed to work. I only forgot one word in the command I gave over mobile, so now I'll give the full solution when it's easier to type. Variables (assumptions) : IP address currently going through DGW that shouldn't be: 1.2.3.4 Alternative gateway for 1.2.3.4: 1.2.3.254 1.2.3.4 and 1.2.3.254 are on the same network. for youe example above, it would be 10.1.2.254 and 10.1.3.254 First, create an alternative routing table for traffic coming from the IP that is not supposed to go to the default GW: # ip route add 0.0.0.0/0 via 1.2.3.254 table 200 Then, ask Linux to use that routing table whenever the source of the traffic is from 1.2.3.4: # ip rule add from 1.2.3.4 table 200 although the packet will come from router 1.2.3.4 , the source ip on the packet are not 1.2.3.4, so this rule is uselsss (i also checked it and it didn't work) i tried also: ip rule add dev eth1 table 200 - didn't work either the syntax does not allow me to write 'ip rule add from dev eth1...' - i.e. can't add 'from' so i guess i need to tag the packes some way with a iptables rule, and then add an 'ip rule' or maybe somone knows of a better way. tried also: iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 200 ; ip rule add fwmark 200 table 200 didn't work as well ... thanks shimi. erez. 200 is an arbitrary number. You could use an alias for it to look nicer; If you want that, you can alias a name to a number by editing /etc/iproute2/rt_tables. There are examples there you can copy from. If you have an alias for the number, you can use it in both the ip route and ip rule commands, instead of the number. That's it, I believe. If it still doesn't work, you may be looking at the route cache. You can wait some time, or issue an: # ip route flush cache If it still doesn't work (or commands fail...), be sure to have iproute2 utilities and support in the kernel. Good luck, -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: advanced routing q
On Sun, Sep 9, 2012 at 10:28 AM, Erez D erez0...@gmail.com wrote: On Thu, Sep 6, 2012 at 10:18 PM, shimi linux...@shimi.net wrote: On Wed, Sep 5, 2012 at 8:28 AM, Erez D erez0...@gmail.com wrote: On Mon, Aug 20, 2012 at 10:52 AM, shimi linux...@shimi.net wrote: On Aug 20, 2012 9:34 AM, Erez D erez0...@gmail.com wrote: hello i have a server with two eth ports, each connects to a different router, and then to the internet. i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it i want connections TCP coming from all over the internet to the second router(eth1), to be accepted. the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established. i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ? Are the two ports on the same netblock? what do you mean by that ? I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're both on the same network block. of course they are not on the same network. not so smart to have two interfaces with same network - unless you do static routing, you depend on the order of the interfaces coming up ... If so, can they be separated to two non overlapping blocks? didn't get that So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other would be 10.1.3.3 with netmask 255.255.255.0 i have many clients from many differnet ips connecting to my server. the server has two eth interfaces, with many ports open. there is no relation between eth and port, the same port can receive connections from either interface. i just want to route the relayed packets of the same connection to the eth the syn packet came from. So, the solution I gave you in the original mail is supposed to work. I only forgot one word in the command I gave over mobile, so now I'll give the full solution when it's easier to type. Variables (assumptions) : IP address currently going through DGW that shouldn't be: 1.2.3.4 Alternative gateway for 1.2.3.4: 1.2.3.254 1.2.3.4 and 1.2.3.254 are on the same network. for youe example above, it would be 10.1.2.254 and 10.1.3.254 First, create an alternative routing table for traffic coming from the IP that is not supposed to go to the default GW: # ip route add 0.0.0.0/0 via 1.2.3.254 table 200 Then, ask Linux to use that routing table whenever the source of the traffic is from 1.2.3.4: # ip rule add from 1.2.3.4 table 200 ok, shimi - you were correct, i conused the ip adress and the gw adress. it works now Thanks, Erez, although the packet will come from router 1.2.3.4 , the source ip on the packet are not 1.2.3.4, so this rule is uselsss (i also checked it and it didn't work) i tried also: ip rule add dev eth1 table 200 - didn't work either the syntax does not allow me to write 'ip rule add from dev eth1...' - i.e. can't add 'from' so i guess i need to tag the packes some way with a iptables rule, and then add an 'ip rule' or maybe somone knows of a better way. thanks shimi. erez. 200 is an arbitrary number. You could use an alias for it to look nicer; If you want that, you can alias a name to a number by editing /etc/iproute2/rt_tables. There are examples there you can copy from. If you have an alias for the number, you can use it in both the ip route and ip rule commands, instead of the number. That's it, I believe. If it still doesn't work, you may be looking at the route cache. You can wait some time, or issue an: # ip route flush cache If it still doesn't work (or commands fail...), be sure to have iproute2 utilities and support in the kernel. Good luck, -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: advanced routing q
On Wed, Sep 5, 2012 at 8:28 AM, Erez D erez0...@gmail.com wrote: On Mon, Aug 20, 2012 at 10:52 AM, shimi linux...@shimi.net wrote: On Aug 20, 2012 9:34 AM, Erez D erez0...@gmail.com wrote: hello i have a server with two eth ports, each connects to a different router, and then to the internet. i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it i want connections TCP coming from all over the internet to the second router(eth1), to be accepted. the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established. i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ? Are the two ports on the same netblock? what do you mean by that ? I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're both on the same network block. If so, can they be separated to two non overlapping blocks? didn't get that So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other would be 10.1.3.3 with netmask 255.255.255.0 i have many clients from many differnet ips connecting to my server. the server has two eth interfaces, with many ports open. there is no relation between eth and port, the same port can receive connections from either interface. i just want to route the relayed packets of the same connection to the eth the syn packet came from. So, the solution I gave you in the original mail is supposed to work. I only forgot one word in the command I gave over mobile, so now I'll give the full solution when it's easier to type. Variables (assumptions) : IP address currently going through DGW that shouldn't be: 1.2.3.4 Alternative gateway for 1.2.3.4: 1.2.3.254 First, create an alternative routing table for traffic coming from the IP that is not supposed to go to the default GW: # ip route add 0.0.0.0/0 via 1.2.3.254 table 200 Then, ask Linux to use that routing table whenever the source of the traffic is from 1.2.3.4: # ip rule add from 1.2.3.4 table 200 200 is an arbitrary number. You could use an alias for it to look nicer; If you want that, you can alias a name to a number by editing /etc/iproute2/rt_tables. There are examples there you can copy from. If you have an alias for the number, you can use it in both the ip route and ip rule commands, instead of the number. That's it, I believe. If it still doesn't work, you may be looking at the route cache. You can wait some time, or issue an: # ip route flush cache If it still doesn't work (or commands fail...), be sure to have iproute2 utilities and support in the kernel. Good luck, -- Shimi ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: advanced routing q
On Mon, Aug 20, 2012 at 10:52 AM, shimi linux...@shimi.net wrote: On Aug 20, 2012 9:34 AM, Erez D erez0...@gmail.com wrote: hello i have a server with two eth ports, each connects to a different router, and then to the internet. i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it i want connections TCP coming from all over the internet to the second router(eth1), to be accepted. the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established. i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ? Are the two ports on the same netblock? what do you mean by that ? If so, can they be separated to two non overlapping blocks? didn't get that i have many clients from many differnet ips connecting to my server. the server has two eth interfaces, with many ports open. there is no relation between eth and port, the same port can receive connections from either interface. i just want to route the relayed packets of the same connection to the eth the syn packet came from. If so, I believe that would solve your problem... Otherwise, two listeners and an 'ip rule from 2nd ip lookup alt. routing table'[*], would probably do the trick... [*] syntax by heart, consult man page to be sure -- Shimi from Samsung Galaxy S II ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: advanced routing q
We had similar configuration issue when switched from old sisco router to new fortigate. Fixed it by a smart support guy totally by chaging routing rules on the router. Recheck the routing rules on your setup, don't think you need to dive down to the kernel. David -- בברכה, דוד רונקין נא בקרו בבלוג שלי: http://dronkin.blogspot.com 2012/8/20 Erez D erez0...@gmail.com hello i have a server with two eth ports, each connects to a different router, and then to the internet. i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it i want connections TCP coming from all over the internet to the second router(eth1), to be accepted. the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established. i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: advanced routing q
On Mon, Aug 20, 2012 at 10:03 AM, David Ronkin dron...@gmail.com wrote: We had similar configuration issue when switched from old sisco router to new fortigate. Fixed it by a smart support guy totally by chaging routing rules on the router. it could work by the second router doing an inverse NAT, i am not sure it is possible, but there it has a lot of restrictions (i.e. can't generate outbound connection ...) Recheck the routing rules on your setup, don't think you need to dive down to the kernel. it's not diving to the kernel, it is just a few ip commands. David -- בברכה, דוד רונקין נא בקרו בבלוג שלי: http://dronkin.blogspot.com 2012/8/20 Erez D erez0...@gmail.com hello i have a server with two eth ports, each connects to a different router, and then to the internet. i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it i want connections TCP coming from all over the internet to the second router(eth1), to be accepted. the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established. i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: advanced routing q
On Aug 20, 2012 9:34 AM, Erez D erez0...@gmail.com wrote: hello i have a server with two eth ports, each connects to a different router, and then to the internet. i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it i want connections TCP coming from all over the internet to the second router(eth1), to be accepted. the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established. i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ? Are the two ports on the same netblock? If so, can they be separated to two non overlapping blocks? If so, I believe that would solve your problem... Otherwise, two listeners and an 'ip rule from 2nd ip lookup alt. routing table'[*], would probably do the trick... [*] syntax by heart, consult man page to be sure -- Shimi from Samsung Galaxy S II ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il