Balancing two connections

To:	netfilter@lists.netfilter.org
Subject:	Balancing two connections
From:	D K <iptables@bigmir.net>
Date:	Wed, 28 Feb 2007 17:01:25 +0200
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
Reply-to:	D K <iptables@bigmir.net>
Sender:	netfilter-bounces@lists.netfilter.org

Good day
I have two connections to one ISP with IP addresses in different subnetworks
 (eth0 123.123.123.206/255.255.255.240 (gw 123.123.123.200)
   and   eth3 123.123.123.234/255.255.255.224 (gw 123.123.123.225)).
123.123.123.* - of course not real IPs (I masked them).
And there is one connection to LAN (eth2 10.20.30.4/255.255.255.248)
I want to set up a gateway in which two internet connections would be like one 
but wider.
I want to use NTH or RANDOM method of netfilter to split traffic from users
 (they use IPs 192.168.32.0/24, 192.168.64.0/24, 192.168.128.0/24, 
192.168.250.0/24 through PPTP server 10.20.30.3)
 between two internet links.
I have a problem:
 I tried to ping 111.111.111.2 (not real IP) from 10.20.30.3 - traffic goes 
with no problems via eth0 but it doesn't via eth3.
 I sniffed with tcpdump and saw that packets are going out and in via eth3 but 
gate doesn't put it on eth2 to send it to 10.20.30.3.
I put some markers to iptables config (-j LOG) and here is what I got



ping came through
[root@host user]# tailf /var/log/syslog |grep 111.111.111.2|grep iptables_
Feb 26 20:36:14 kit kernel: iptables_mangle_prerouting: IN=eth2 OUT= 
MAC=00:00:e8:11:18:f2:00:30:48:55:f0:15:08:00 SRC=10.20.30.3 DST=111.111.111.2 
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 
SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_nat_prerouting: IN=eth2 OUT= 
MAC=00:00:e8:11:18:f2:00:30:48:55:f0:15:08:00 SRC=10.20.30.3 DST=111.111.111.2 
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=11246 PROTO=ICMP TYPE=8 CODE=0 ID=512 
SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_forward: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_new: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_marked_0: IN=eth2 OUT=eth0 SRC=10.20.30.3 
DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_after_new: IN=eth2 OUT=eth0 SRC=10.20.30.3 
DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_after_ROUTE_0: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_after_ROUTE_1: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_filter_forward: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_postrouting: IN= OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_nat_postrouting: IN= OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=11246 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_prerouting: IN=eth0 OUT= 
MAC=00:e0:91:03:18:59:00:13:20:42:7c:f5:08:00 SRC=111.111.111.2 
DST=123.123.123.206 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=17571 PROTO=ICMP TYPE=0 
CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_mangle_forward: IN=eth0 OUT=eth2 
SRC=111.111.111.2 DST=10.20.30.3 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=17571 
PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=30209
Feb 26 20:36:14 kit kernel: iptables_after_new: IN=eth0 OUT=eth2 
SRC=111.111.111.2 DST=10.20.30.3 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=17571 
PROTO=ICMP TYPE=0 CODE=0 ID=512 SEQ=30209


ping didn't come through
[root@host user]# tailf /var/log/syslog |grep 111.111.111.2|grep iptables_
Feb 26 20:38:26 kit kernel: iptables_mangle_prerouting: IN=eth2 OUT= 
MAC=00:00:e8:11:18:f2:00:30:48:55:f0:15:08:00 SRC=10.20.30.3 DST=111.111.111.2 
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 
SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_nat_prerouting: IN=eth2 OUT= 
MAC=00:00:e8:11:18:f2:00:30:48:55:f0:15:08:00 SRC=10.20.30.3 DST=111.111.111.2 
LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=7823 PROTO=ICMP TYPE=8 CODE=0 ID=512 
SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_mangle_forward: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_mangle_new: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_marked_0: IN=eth2 OUT=eth0 SRC=10.20.30.3 
DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_marked_1: IN=eth2 OUT=eth0 SRC=10.20.30.3 
DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_after_new: IN=eth2 OUT=eth0 SRC=10.20.30.3 
DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_after_ROUTE_0: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_after_ROUTE_1: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_filter_forward: IN=eth2 OUT=eth0 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_mangle_postrouting: IN= OUT=eth3 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_nat_postrouting: IN= OUT=eth3 
SRC=10.20.30.3 DST=111.111.111.2 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=7823 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=30465
Feb 26 20:38:26 kit kernel: iptables_mangle_prerouting: IN=eth3 OUT= 
MAC=00:c0:26:aa:13:03:00:07:e9:2a:97:73:08:00 SRC=111.111.111.2 
DST=123.123.123.234 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=51251 PROTO=ICMP TYPE=0 
CODE=0 ID=512 SEQ=30465



As you can see ICMP packets goes via eth0 with no problems. But when it goes 
via eth3, it goes out and comes back but it's lost somewhere after 
iptables_mangle_prerouting.
What can it be ??? May be some things should be added to routing?


[root@host user]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.20.30.0      *               255.255.255.248 U     10     0        0 eth2
123.123.123.192 *               255.255.255.240 U     10     0        0 eth0
123.123.123.224 *               255.255.255.224 U     35     0        0 eth3
default         123.123.123.200 0.0.0.0         UG    10     0        0 eth0


Forwarding is enabled as you can see
[root@host user]# cat /proc/sys/net/ipv4/ip_forward
1


Here is what iptables-save tells
# Generated by iptables-save v1.3.7 on Sun Feb 18 04:53:06 2007
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -p icmp -j LOG  --log-prefix "iptables_nat_postrouting: "
-A POSTROUTING -s 123.123.123.192/255.255.255.240 -j ACCEPT
-A POSTROUTING -o eth0 -j SNAT --to-source 123.123.123.206
-A POSTROUTING -o eth3 -j SNAT --to-source 123.123.123.234
-A PREROUTING -p icmp -j LOG  --log-prefix "iptables_nat_prerouting: "
-A OUTPUT -p icmp -j LOG  --log-prefix "iptables_nat_ouput: "
-A POSTROUTING -p icmp -j LOG  --log-prefix "iptables_after_nat: "
COMMIT
# Completed on Sun Feb 18 04:53:06 2007
# Generated by iptables-save v1.3.7 on Sun Feb 18 04:53:06 2007
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:NEW_OUT_CONN - [0:0]
-A PREROUTING -p icmp -j LOG  --log-prefix "iptables_mangle_prerouting: "
-A INPUT -p icmp -j LOG  --log-prefix "iptables_mangle_input: "
-A FORWARD -p icmp -j LOG  --log-prefix "iptables_mangle_forward: "
-A OUTPUT -p icmp -j LOG  --log-prefix "iptables_mangle_ouput: "
-A POSTROUTING -p icmp -j LOG  --log-prefix "iptables_mangle_postrouting: "
-A FORWARD -d 123.123.123.192/255.255.255.240 -j ACCEPT
-A FORWARD -d 123.123.123.224/255.255.255.224 -j ACCEPT
-A FORWARD -m state --state NEW -j NEW_OUT_CONN
-A NEW_OUT_CONN -p icmp -j LOG  --log-prefix "iptables_mangle_new: "
-A NEW_OUT_CONN -j CONNMARK  --set-mark 0
-A NEW_OUT_CONN -p icmp -j LOG  --log-prefix "iptables_marked_0: "
-A NEW_OUT_CONN -m statistic -j RETURN  --mode nth --every 2 --packet 0
-A NEW_OUT_CONN -j CONNMARK  --set-mark 1
-A NEW_OUT_CONN -p icmp -j LOG  --log-prefix "iptables_marked_1: "
-A NEW_OUT_CONN -m statistic -j RETURN  --mode nth --every 2 --packet 1
-A FORWARD -p icmp -j LOG --log-prefix "iptables_after_new: "
-A FORWARD -m connmark -i eth2 -j ROUTE  --mark 0 --gw 123.123.123.200 
--continue
-A FORWARD -p icmp -j LOG  --log-prefix "iptables_after_ROUTE_0: "
-A FORWARD -m connmark -i eth2 -j ROUTE  --mark 1 --gw 123.123.123.225 
--continue
-A FORWARD -p icmp -j LOG  --log-prefix "iptables_after_ROUTE_1: "
COMMIT
# Completed on Sun Feb 18 04:53:06 2007
# Generated by iptables-save v1.3.7 on Sun Feb 18 04:53:06 2007
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j LOG  --log-prefix "iptables_filter_input: "
-A INPUT -i lo -j ACCEPT
-A FORWARD -p icmp -j LOG  --log-prefix "iptables_filter_forward: "
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -s 10.20.30.0/255.255.255.248 -i eth2 -j ACCEPT
-A FORWARD -d 10.20.30.0/255.255.255.248 -o eth2 -j ACCEPT
-A FORWARD -s 192.168.32.0/255.255.255.0 -i eth2 -j ACCEPT
-A FORWARD -s 192.168.64.0/255.255.255.0 -i eth2 -j ACCEPT
-A FORWARD -s 192.168.128.0/255.255.255.0 -i eth2 -j ACCEPT
-A FORWARD -s 192.168.250.0/255.255.255.0 -i eth2 -j ACCEPT
-A FORWARD -s 123.123.123.192/255.255.255.240 -i eth2 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 10.20.30.0/255.255.255.248 -i eth2 -j ACCEPT
# Don't pay attention to next one - it's for future use
-A INPUT -p tcp -m tcp -m multiport -d 123.123.123.201 -j ACCEPT --dports 
21,25,53,80
-A OUTPUT -p icmp -j LOG  --log-prefix "iptables_filter_ouput: "
# It's for disabling traceroute through the gate (I think it should work and 
shouldn't stop icmp ping requests/replies)
-A OUTPUT -p icmp -m icmp -s 10.20.30.0/255.255.255.248 --icmp-type 
ttl-zero-during-transit -j DROP
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT
# Completed on Sun Feb 18 04:53:06 2007



By the way I have Mandriva 2007 installed, kernel 2.6.20 and iptables 1.3.7 
pached with patch-o-matic-ng-20070217 (ROUTE enabled)

___________________________________________________
Узнай о ВИЧ/СПИД больше!  
www.helpme.com.ua ICQ 271 324 528

<Prev in Thread]	Current Thread	[Next in Thread>
Balancing two connections, D K <=

Previous by Date:	DNAT Problems, Rafael Paris
Next by Date:	PPTP VPN: Unknown GRE version 5, Gustavo Michels
Previous by Thread:	DNAT Problems, Rafael Paris
Next by Thread:	PPTP VPN: Unknown GRE version 5, Gustavo Michels
Indexes:	[Date] [Thread] [Top] [All Lists]