[NTLUG:Discuss] routing concept
terry
trryhend at gmail.com
Sat Mar 1 19:33:13 CST 2008
On Sat, Mar 1, 2008 at 7:27 PM, terry <trryhend at gmail.com> wrote:
>
> On Sat, Mar 1, 2008 at 7:18 PM, terry <trryhend at gmail.com> wrote:
> >
> > On Sat, Mar 1, 2008 at 12:39 PM, Richard <ntlug at rain4us.net> wrote:
> > >
> > > On Fri, Feb 29, 2008 at 4:03 PM, Richard <ntlug at rain4us.net> wrote:
> > > > > I'm struggling with a routing concept and I'm wondering what the
> > > > > best way to implement this would be.
> > > > >
> > > > > I have an internet connection that has been assigned a SINGLE ip
> > > > > address with a class C addreses. Then I have a /29 subnet being
> > > > > routed TO that single ip address on the class C subnet.
> > >
> > > [best viewed with a non-proportional based font]
> > >
> > > ______
> > > \ | |
> > > I \4.2.2.1 4.2.2.3| |
> > > S |--------------------| |eth1
> > > P | eth0| |------
> > > / | |
> > > | |
> > > hdlc0| |
> > > To ISP#1<-----------|______|
> > >
> > >
> > >
> > > Let me see if I can explain this better. Let's say that I've been given
> > > a real world IP address of 4.2.2.3 for a real world address with a gateway
> > > of 4.2.2.1. Getting that bound is easy and works.
> > >
> > >
> > > Now let's say that the ISP is routing 5.2.2.0/29 to me. (That leaves
> > > me with the IP address range 5.2.2.0 - 5.2.2.7) Those ip addresses will
> > > be routed THROUGH 4.2.2.3. This means that I am going to have to bind the
> > > 5.2.2.0/29 subnet SOMEWHERE in the Linux box. Now If I just bind an IP
> > > address like 5.2.2.1 as a secondary IP address on ETH0 (eth0:1), what am I
> > > going to have to do to get the packets to route properly? I'm wondering
> > > if I'll have to set the default route of eth0:1 to be the 4.2.2.3 address.
> > >
> > > My other thoughts is that I'm going to have to have a different nic
> > > (whether
> > > physical or virtual) onto which to bind the addresses.
> > >
> > >
> > > ________________
> > > \ | |
> > > I \4.2.2.1 4.2.2.3|5.2.2.1 |10.x.x.x
> > > S |--------------------|-------- |---------
> > > P | eth0|eth0:1 |eth1
> > > # / |(eth0:x) |
> > > 2 / | ?Default route |
> > > | for eth0:x ? |
> > > | |
> > > hdlc0| |
> > > To ISP#1<-----------|________________|
> >
> >
> > eth0 [probably] does not need a default route
> >
> >
> >
> > >
> > > Now comes iptables, DNAT and SNAT. I am going to guess that all of my
> > > firewall
> > > rules will be based on the eth0:x interfaces (and their associated IP
> > > address).
> > > The thing is, when adding dead gateway detection
> > > ( http://www.ssi.bg/~ja/ ) into the mix, how do I handle ensuring that the
> > > outgoing packets have the proper SNAT address? The eth0 interface will
> > > need to
> > > be the one to participate in DGD since it is THAT route that would be
> > > the route
> > > that is critical if it were down, yet netfilter will be source NATing
> > > the packets
> > > from the 'internal' (eth0:x 5.2.2.x) segment. When the kernel makes a
> > > routing
> > > decision of which SNAT interface to use (hdlc0 or eth0:X) the answer can
> > > never
> > > be considered correct because eth0:X will ALWAYS be up...because it's local!
> > >
> > > Maybe I'm stuck in some circular logic...or don't have a proper grasp on
> > > this.
> > > I've come to regard ntlug as one of the BEST place for competent support
> > > so I
> > > gravitate here to resolve my issues. However, I realize that there may be a
> > > better place for me to discuss this issue? If anyone can refer me to such a
> > > place, I'd be grateful.
> > >
> > > NOTES:
> > >
> > > * 4.2.2.1, 4.2.2.2, and 4.2.2.3 are the old GTE (now verizon) dns server
> > > addresses and are NOT my addresses. 5.2.2.x is..well something I pulled
> > > out of
> > > thin air.
> > >
> > > * Other links of interest..
> > > **
> > > http://www.experts-exchange.com/Networking/Linux_Networking/Q_21828553.html
> > > ** http://lartc.org/howto/lartc.rpdb.multiple-links.html
> > > **
> > > http://www.experts-exchange.com/Networking/Linux_Networking/Q_21828553.html
> > >
> > > {It would be nice to have an email client that understood pmwiki
> > > formatting! :)}
> > >
> > > By the way, Patrick, thanks again for pmwiki - I live and die by the
> > > documentation
> > > I can keep in there.
> > >
> > >
> > >
> > >
> > > --
> >
> > You probably want something like:
> >
> >
> > ifconfig eth0:0 192.168.1.5
> > ifconfig eth0:1 192.168.1.6
> > ifconfig eth0:2 192.168.1.7
> > ifconfig eth0:3 192.168.1.8
> > ifconfig eth0:4 192.168.1.9
> > iptables -t nat -A PREROUTING -d 5.2.2.1 -p tcp -m tcp -j DNAT -o eth0
> > --to-destination 192.168.1.5
> > iptables -t nat -A PREROUTING -d 5.2.2.2 -p tcp -m tcp -j DNAT -o eth0
> > --to-destination 192.168.1.6
> > iptables -t nat -A PREROUTING -d 5.2.2.3 -p tcp -m tcp -j DNAT -o eth0
> > --to-destination 192.168.1.7
> > iptables -t nat -A PREROUTING -d 5.2.2.4 -p tcp -m tcp -j DNAT -o eth0
> > --to-destination 192.168.1.8
> > iptables -t nat -A PREROUTING -d 5.2.2.5 -p tcp -m tcp -j DNAT -o eth0
> > --to-destination 192.168.1.9
> >
> >
> > --
> > <><
> >
>
> Or maybe:
> ptables -t nat -A PREROUTING -p tcp -d 5.2.2.1 --dport 21 -j DNAT -o
>
> eth0 --to-destination 192.168.1.5
> ptables -t nat -A PREROUTING -p tcp -d 5.2.2.2 --dport 80 -j DNAT -o
>
> eth0 --to-destination 192.168.1.6
> ptables -t nat -A PREROUTING -p tcp -d 5.2.2.3 --dport 25 -j DNAT -o
>
> eth0 --to-destination 192.168.1.7
> etc... ?
Sorry, my mistake, "Can't use -o with PREROUTING"
--
<><
More information about the Discuss
mailing list