1

My ISP has given me a 187.x.x.224/29 subnet. The gateway is 187.x.x.225 I have a Ubuntu server with 6 ethernet ports. The server does NAT routing and also acts as a webserver. My plan is to have eth1 and eth2 have seperate WAN ips: 187.x.x.226 and 187.x.x.227 respectively. I want the NAT trafffic to pass through 187.x.x.226 and the webserver and other local apps should listen on 187.x.x.227. But the gateway for both will be the same which is 187.x.x.225. eth0, eth3 and eth4 face 3 different NAT networks. The NAT works fine as of now, but traffic from NAT network and webserver traffic is forwarded only via eth1. So my question is how can I set route and defualt gateway so as to route webserver traffic through eth2.

EDIT 1: I do heavy traffic shaping on eth1, which acts as a uplink for the NAT networks. I don't want the webserver to be affected by it. My users do heavy bittorrent downloading, and always visit dodgy sites. As the eth1 ip has a domain associated with it, I find it very risky. I am planning to move the domain attached ip to eth2 and to give a anonymous ip to eth1 (WAN link for NAT network). The solution I am looking for is, if a reqest for webserver comes through eth2, the reply should go out of the same interface.

nixnotwin
  • 1,513
  • 5
  • 34
  • 54
  • Whatever the reason you think you need to do this, you're wrong. It won't work the way you expect it to work, and you're causing a nightmare for whoever comes to clean up your mess. Ask a question that describes the business objectives you're trying to achieve, and you'll end up with a much better solution. – womble Jul 16 '11 at 23:13
  • Why dont you shape on the interface for the clients instead? – 3molo Jul 17 '11 at 08:10

3 Answers3

3

As mentioned before, the only way you're really going to be able to accomplish what you're trying to do is by using policy routing - it will allow you to set up multiple routing tables. Without "virtualizing" the routing table, per se, you're not going to be able to really get the desired outcome as you can't really have two NICs with IPs on the same subnet inside of the same routing table. You can only have one active default gateway in a routing table at a time and it will always try to egress out the interface specified in that.

It's going to require that your linux kernel supports policy routing. You'll also need the iproute2 utilities (likely either included in your distro or installed via package management).

Here are a few decent references I found:

How to automate all of the on startup depends on the linux distro being used.

Full disclosure - I ripped most of this from the first link I posted. I tested it out a bit in a VM and it seemed to work but your mileage may vary, especially since you're already doing NAT and traffic shaping.

If you've got the iproute2 utilities on your system, you can go about setting up the new routing table. In /etc/iproute2/rt_tables you'd add something similar to the following line:

1 servers

This effectively creates a new routing table named "servers" (for this example, at least). To set up your routing table, you'll need to define the local subnet route and your default route.

ip route add 187.x.x.224/29 dev eth2 src 187.x.x.227 table servers
ip route add default via 187.x.x.225 dev eth2 table servers

It should be set up but you'll need to add it to the policy routing using the ip rule command:

ip rule add from 187.x.x.227/32 table servers
ip rule add to 187.x.x.227/32 table servers

Once you've done all this you should be able to execute ip rule show and see the policy routing rule sets above the default routing table rules. You can then execute ip rule flush cache to ensure the changes are committed.

haymaker
  • 1,242
  • 9
  • 9
  • Your settigns worked. The site is accessible from WAN side. But it cannot be accessed within the network for which that server is the router. The domain gets resolved to the ip of `eth2`, but it gives time out error. – nixnotwin Jul 18 '11 at 10:50
  • Hmm. It might just be a simple routing issue. You may need to add a route to the table for your network behind the server. ex: ip route add 192.168.y.y/z dev ethX table servers -- hopefully that will work. If not it may be something iptables related. – haymaker Jul 19 '11 at 00:32
  • Adding routes for the local network solved my issue. I have 3 NAT networks, so added route for each one. Everything works fine now. – nixnotwin Jul 19 '11 at 05:24
  • Awesome! glad it worked. – haymaker Jul 19 '11 at 15:54
2

Set the metric on eth1 to be higher than it is on eth2. You can do this with ifconfig eth1 metric XX.

It's not clear what your purpose here is for doing this, so take note that this will make the system use eth2 instead of eth1 for all outgoing traffic. Load balancing and link aggregation between two interfaces is more complicated. Additionally, AFAIK, unless your applications can bind to specific addresses you're not going to be able to control to the level that a given application will respond on a given address.

Bacon Bits
  • 1,511
  • 1
  • 9
  • 8
0

I think to do what you'll want, you'll need to create 2 separate routing tables. One routing table (for the NAT traffic) specifies the most-preferred interface to reach the gateway as eth1; you'd use policy routing to use the second routing table for traffic with an origin of the webserver IP. The 2nd table would be the same as the first, but have a metric preferring the eth2 interface to get to your gateway.

techieb0y
  • 4,161
  • 16
  • 17