Mailing List Archive: Routing to DMZ with multiple ISP's

Ok, I'm hitting my head on a brick wall of my ignorance here.

I have 10 DSL routers with associated internet connections.
They are all configured to DNAT all traffic on their external
interface to one internal Router.

I'm trying to DNAT all web traffic to a webserver at 192.168.7.4
It is working for the first connection, but it fails on the remainder
What am I missing?

Each DSL router is configured with a private subnet with a matching
configuration on the router..
dsl1: 192.168.4.1/30
dsl2: 192.168.4.5/30
dsl3: 192.168.4.9/30
.... and so forth..

Rather than try to explain my configuration further, I'll just give
the stripped down version of the configuration outputs from my router.

r1:~ # ip addr
2: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
inet 192.168.6.1/24 brd 192.168.6.255 scope global eth1
3: eth2: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
inet 192.168.4.2/30 brd 192.168.4.3 scope global eth2
inet 192.168.4.6/30 brd 192.168.4.7 scope global eth2:d2
inet 192.168.4.10/30 brd 192.168.4.11 scope global eth2:d3
4: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
inet 192.168.7.1/24 brd 192.168.7.255 scope global eth0

r1:~ # ip rule list
0: from all lookup local
10001: from 192.168.4.2 lookup dsl1
10002: from 192.168.4.6 lookup dsl2
10003: from 192.168.4.10 lookup dsl3
32766: from all lookup main
32767: from all lookup default

r1:~ # ip route list table dsl1
192.168.4.0/30 dev eth2 scope link src 192.168.4.2
192.168.4.4/30 dev eth2 scope link src 192.168.4.6
192.168.4.8/30 dev eth2 scope link src 192.168.4.10
192.168.7.0/24 dev eth0 scope link src 192.168.7.1
192.168.6.0/24 dev eth1 scope link src 192.168.6.1
127.0.0.0/8 dev lo scope link
default via 192.168.4.1 dev eth2

r1:~ # ip route list table dsl2
192.168.4.0/30 dev eth2 scope link src 192.168.4.2
192.168.4.4/30 dev eth2 scope link src 192.168.4.6
192.168.4.8/30 dev eth2 scope link src 192.168.4.10
192.168.7.0/24 dev eth0 scope link src 192.168.7.1
192.168.6.0/24 dev eth1 scope link src 192.168.6.1
127.0.0.0/8 dev lo scope link
default via 192.168.4.5 dev eth2

r1:~ # ip route list table dsl3
192.168.4.0/30 dev eth2 scope link src 192.168.4.2
192.168.4.4/30 dev eth2 scope link src 192.168.4.6
192.168.4.8/30 dev eth2 scope link src 192.168.4.10
192.168.7.0/24 dev eth0 scope link src 192.168.7.1
192.168.6.0/24 dev eth1 scope link src 192.168.6.1
127.0.0.0/8 dev lo scope link
default via 192.168.4.9 dev eth2

r1:~ # iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- 0.0.0.0/0 192.168.6.1 tcp
dpt:80 to:192.168.7.4
DNAT tcp -- 0.0.0.0/0 192.168.4.2 tcp
dpt:80 to: 192.168.7.4
DNAT tcp -- 0.0.0.0/0 192.168.4.6 tcp
dpt:80 to:192.168.7.4
DNAT tcp -- 0.0.0.0/0 192.168.4.10 tcp
dpt:80 to:192.168.7.4

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Hello,

Robert Ferney a écrit :
>
> I have 10 DSL routers with associated internet connections.
> They are all configured to DNAT all traffic on their external
> interface to one internal Router.
>
> I'm trying to DNAT all web traffic to a webserver at 192.168.7.4
> It is working for the first connection, but it fails on the remainder
> What am I missing?

My guess is what you are missing is that the "un-DNAT" of the source
address in the reply packets from the server takes place in POSTROUTING,
too late for it to be taken into account by your routing rules, which
affects only packets generated by the internal router.

So your internal router needs to know to which gateway the reply packets
must be send (depending on which gateway the original packet came from)
before the routing stage. This must be done in PREROUTING.

Here are two possible methods :

==============================================================
1) Match the original destination address of the incoming DNATed
connection in the reply packets. This is done with the "--ctorigdst"
option of the "conntrack" iptables match :

iptables -t mangle -A PREROUTING -i eth0 \
-m conntrack --ctstate DNAT --ctorigdst 192.168.4.2 \
-j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i eth0 \
-m conntrack --ctstate DNAT --ctorigdst 192.168.4.6 \
-j MARK --set-mark 0x2
[...]

Then you direct the marked packets to the alternate routing table :

ip rule add fwmark 0x1 lookup dsl1
ip rule add fwmark 0x2 lookup dsl2
[...]

==============================================================
2) Mark the connections with the CONNMARK iptables target.
This requires a kernel with connection mark support, i.e. at least
version 2.6.10 or patched with patch-o-matic-ng.

iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW \
-d 192.168.4.2 -p tcp --dport 80 -j CONNMARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i eth2 -m state --state NEW \
-d 192.168.4.6 -p tcp --dport 80 -j CONNMARK --set-mark 0x2
[...]

This sets a "connection mark" on new _connections_ (not on individual
packets) incoming on eth2 depending on the original destination address.
Then copy the connection mark into the mark of reply packets incoming on
eth0 :

iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0x1 \
-j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i eth0 -m connmark --mark 0x2 \
-j CONNMARK --restore-mark
[...]

The "ip rule" are the same as in 1).