Multi gateway routing with iptables and iproute2
Notes on multi gateway routing with iptables and iproute2, suggestions and corrections gladly accepted. My notes may be incomplete or just plain wrong, I pieced them together after getting it working.
Running on Ubuntu-9.10 with two internet connections ppp0 and ppp1 both with static IP’s from two different internet providers in Australia (iiNet and Internode).
Preperation:
Extra ip route tables per gateway.
Add tables to /etc/iproute2/rt_tables. Table names and numbers can be anything as long as they are consistent later on.
echo -e "101 connection1\n102 connection2" | sudo tee -a /etc/iproute2/rt_tables
Add routes to the extra rule tables. Copy the local routes from the main table then add the default gateway specific to this connection. Replace the vars at the beginning with your relevant settings.
#!/bin/sh
DEV1=ppp0
IP1=100.0.1.1
GW1=100.0.1.254
TABLE2=connection2
DEV2=ppp1
IP2=100.0.2.1
GW2=100.0.2.254
ip route flush table $TABLE1
ip route flush table $TABLE2
ip route show table main | grep -Ev '(^default|ppp)' | while read ROUTE ; do
ip route add table $TABLE1 $ROUTE
ip route add table $TABLE2 $ROUTE
done
ip route add table $TABLE1 $GW1 dev $DEV1 src $IP1
ip route add table $TABLE2 $GW2 dev $DEV2 src $IP2
ip route add table $TABLE1 default via $GW1
ip route add table $TABLE2 default via $GW2
ip route output:
~# ip route show 100.0.1.254 dev ppp0 proto kernel scope link src 100.0.1.1 100.0.2.254 dev ppp1 proto kernel scope link src 100.0.2.1 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 default via 100.0.1.254 dev ppp0
~# ip route show table connection1 100.0.1.254 dev ppp0 proto kernel scope link src 100.0.1.1 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 default via 100.0.1.254 dev ppp0 ~# ip route show table connection2 100.0.2.254 dev ppp1 proto kernel scope link src 100.0.2.1 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 default via 100.0.2.254 dev ppp1
Add the ip rules:
ip rule add from 100.0.1.1 lookup connection1 ip rule add from 100.0.2.1 lookup connection2 ip rule add fwmark 1 lookup connection1 ip rule add fwmark 2 lookup connection2
Add the iptables rules for SNAT:
iptables -A POSTROUTING -o ppp0 -j SNAT --to-source 100.0.1.1 iptables -A POSTROUTING -o ppp1 -j SNAT --to-source 100.0.2.1
And finally add the rules for marking the connection they should be going out on. The first PREROUTING rule is for packets we forward to be returned via the interface they were received on. The OUTPUT rule is for packets handled on this PC to be returned on the correct interface too. We only want to mark new packets and restore marks on established connections else the packets
-A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark -A OUTPUT -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark -A PREROUTING -i ppp0 -m state --state NEW -j CONNMARK --set-mark 1 -A PREROUTING -i ppp1 -m state --state NEW -j CONNMARK --set-mark 2 -A PREROUTING -m connmark --mark 1 -j MARK --set-mark 1 -A PREROUTING -m connmark --mark 2 -j MARK --set-mark 2 -A PREROUTING -m state --state NEW -m connmark ! --mark 0 -j CONNMARK --save-mark
Selective routing:
To send all outgoing traffic on a specific table:
-A PREROUTING -i eth0 -m state --state NEW -p tcp --dport 80 -j CONNMARK --set-mark 2 -A PREROUTING -i eth0 -m state --state NEW -p tcp --dport 443 -j CONNMARK --set-mark 2
References:
Ubuntu 9.10 impressions, extra packages.
I updated my main laptop to Ubuntu 9.10 on it’s release. It called for a fresh install as this laptop get’s a lot of crap installed left right and centre and an upgrade was not going to clean it up. (Apache, Nginx and Lighttpd, tomcat, netbeans all installed and starting on bootup, argh, plus many self compiled packages I installed without keeping track of.)
The only bugs I have been hit by was #446146. A Huawei E169 USB here modem only shows up as a memory card reader. Quick install of one of the kernel packages listed fixed this for me though.
A PC that after upgrade was trying to detect the harddrives as part of fakeraid setup and would fail to boot. Booted with the previous kernel, removed dmraid, and rebooted and she’s all good.
And gscan2pdf needed three packages from Jaunty to save as PDF again:
- libmagickcore1_6.4.5.4.dfsg1-1ubuntu3.1_amd64.deb
- libmagickwand1_6.4.5.4.dfsg1-1ubuntu3.1_amd64.deb
- perlmagick_6.4.5.4.dfsg1-1ubuntu3.1_amd64.deb
I am really impressed with the direction that to boot theming is taking, well done Scott and team. Nvidia black redraw issues have gone away too. Sound is working better for me. Easier to select the speakers I want to output to. Havn’t tried Ubuntu One yet as most of my family is already using dropbox. Will probably try it for backing up some app data though.
The nvidia-settings tool would not save my settings for two monitor to xorg.conf as it could not parse it. So I instead just replaced the Screen Section in xorg.conf with the following and the extra monitor is auto detected and expanded to now:
Section "Screen" Identifier "Default Screen" DefaultDepth 24 Option "TwinView" "1" Option "TwinViewXineramaInfoOrder" "DFP, CRT" Option "metamodes" "DFP: nvidia-auto-select +0+0, CRT: nvidia-auto-select +1280+0" SubSection "Display" Depth 24 EndSubSection EndSection
I still have to work out how to slow down my mouse further with X as the slowest I can set it to in Gnome is still to fast at times.
And incase anybody like to compare notes, these are the packages I have installed/removed in the first couple of days (some from PPA’s, etc).
Installed:
cowbell
bash-completion
vim
vim-gnome
screen
mc
gwibber
inkscape
chromium
virtualbox-3.0
gvim
fontypython
nautilus-dropbox
conky
wine1.2
cups-pdf
gnome-do
shutter
libnss3-tools
gstm
gscan2pdf
nmap
thewidgetfactory
agave
Removed:
latex-xft-fonts
ttf-thai-tlwg
ttf-kacst
ttf-indic-fonts-core
ttf-lao
ttf-wqy-zenhei
ttf-vlgothic
ttf-unfonts-core
f-spot
I removed the list of fonts to see 1) what would happen, 2) my default font list was cluttered & 3) I can’t understand any of those languages anyway.
agentk
