Page 69 - DCAP106_OPERATING_SYSTEM_TOOLS
P. 69
Operating System Tools
Notes The DSL IP on masq-gw will be 67.17.28.12 with a gateway of 67.17.28.14. Let us suppose that
this is for outbound connectivity only, and that the IP is active on eth4 of the masq-gw machine.
Before starting, let us outline the process:
Copy the main routing table to another routing table and set the alternate default route.
Use iptables/ipchains to mark traffic with fwmark.
Add a rule to the routing policy database.
Test!
3.2.2 Inbound Traffic Using Multiple Connections to the Internet
There are many different methods to handle hosting servers to multiple ISPs. If you are in
requirement of this sort of advanced networking, you probably already know where to research.
If not, it is recommended to start your research in load balancing, global load balancing, failover,
and layer 4-7 switching. These are networking tools which can facilitate the management of a
highly available service.
Publishing the same service on two dissimilar ISPs is can be a tough challenge. While this is
possible using some of the advanced networking characteristics under linux, one should
recognize the greater issues involved with publishing a service on two public IPs, especially if
the idea is to provide service to the general Internet even though one of the ISPs go down. If you
are aware of the various difficult issues involved in managing inbound connections to a network,
and still want to publish a service on two dissimilar ISPs, you’ll find the recipe below.
Before we examine the recipe, let’s look at a complex scenario to see what the crucial points are.
One other item to remember is that routing decisions are stateless.
We will assume that the client IP is a fixed IP (64.70.12.210) and we’ll discuss how this client
IP would reach each of the services published on masq-gw’s two public networks. The IPs
used for the services will be 67.17.28.10 and 205.254.211.17. Now, whether you are using NAT
with iproute2 or with iptables, you’ll run across the problem here outlined. Here is the fl ow of
the packet through masq-gw to the server and back to the client.
Inbound NAT to the Same Server Via Two Public IPs in Two Different Networks
1. inbound packet from 64.70.12.210 to 67.17.28.10 arrives on eth4
2. packet is accepted, rewritten, and routed; from 64.70.12.210 to 192.168.100.17;
if iptables DNAT, packet is rewritten in PREROUTING chain of nat table, then routed;
if iproute2, packet is routed and rewritten simultaneously
3. rewritten packet is transmitted out eth0
4. isolde receives packet, accepts, responds
5. inbound packet from 192.168.100.17 to 64.70.12.210
6. routing decision is made; default route (via 205.254.211.254) is selected; if iproute2 is used,
packet is also rewritten from 67.17.28.10 to 64.70.12.210
7. if iptables DNAT is used, connection tracking will take care of rewriting this packet from
67.17.28.10 to 64.70.12.210
8. packet is transmitted out eth1
This is the problem! The packet may have the right source address, however it is leaving through
the wrong interface. Many ISPs fi lter traffic entering their network and will block traffi c from
your network with source IPs outside your allocated range. To an ISP this looks like faked traffi c.
62 LOVELY PROFESSIONAL UNIVERSITY
