Re: [Fwbuilder-discussion] SNAT
Brought to you by:
mikehorn
From: Vadim K. <va...@ne...> - 2011-03-29 15:44:57
|
2011/3/29 Usuário do Sistema <mai...@ig...> > > Thank Vadim! > > > I've been trying your suggestion but when I use the action Routing in > policy rule appear the error follow: > > iptables v1.3.5: Unknown arg `--oif' > Try `iptables -h' or 'iptables --help' for more information. > *** Fatal error : > iptables v1.3.5: Unknown arg `--oif' > Try `iptables -h' or 'iptables --help' for more information. > > seems that iptables it's not accept the parameter " oif " do you know about > this error?? there is work around for routing packets from a Interface to > other ? > > looks like iptables on your system does not support target ROUTE. You could recompile it to add support for this target (you need to recompile both the kernel and command line tools iptables) Alternative option is to use policy routing with iproute2. We currently do not support policy routing with fwbuilder so you'll have to do this by hand. Here are some urls: http://lartc.org/howto/ they have examples that can be useful: http://lartc.org/howto/lartc.rpdb.html http://lartc.org/howto/lartc.rpdb.multiple-links.html iproute can match source address of the packet but can not match service (port numbers). If you can split your network so that some part would use one ISP and the other would use the second ISP, then you can use this setup without any iptables rules. If you want to split internet usage by port numbers, then you should use iptables to mark packets and iproute to match these marks to decide where they should be routed to: http://lartc.org/howto/lartc.netfilter.html To build iptables rules to mark packets with fwbuilder, use policy rule with action "Tag" If you decide to try to build policy routing rules matching source address, check also this post: http://lists.netfilter.org/pipermail/netfilter/2004-November/056991.html --vk > thank! > > > > > > > Em 28 de março de 2011 18:50, Vadim Kurland <va...@ne...>escreveu: > > >> >> 2011/3/28 Usuário do Sistema <mai...@ig...> >> >>> Hello Everyone, I'm a bit new in FwBuilder. >>> >>> I have a Firewall ( FwBulder 4.1.3) with three interfaces network. two >>> connection to Internet and other to inside network. >>> Inetrfaces eth0:128.2.100.134 > inside Network >>> Inetrfaces eth1:200.247.209.9 > Internet1 >>> Inetrfaces eth2:201.72.12.30 > Internet2 >>> >>> The firewall gateway is 200.247.209.6 ( network Internet1 ). when I make >>> a SNAT from inside network to Internet with field "Translated Src" filled >>> with address 201.72.12.30 it isn't work the access to Internet but when I >>> fill with 200.247.209.9 It's work! I think this accur because my gateway is >>> on network Interne1 so my SNAT must be always do upon the Internet1. >>> >>> how can I reach the two SNAT that ?? one with field "Translated Src" >>> filled with Internet1 and other filled Internet2. maybe with two gateway on >>> my Firewall ?? >>> >>> >> it sounds like your firewall always sends packets to the Internet through >> the gateway that belongs to "Internet1", no matter what ip address you use >> for the SNAT (source address) translation. Perhaps your ISP "Internet1" does >> not pass packets with source address that does not belong to them ? >> >> You can achieve some degree of using both internet connections if you >> create two NAT rules with different addresses in "Translated Source" and in >> addition to that make the firewall route packets translated by each rule to >> the "right" interface. Simple static route on the machine is not going to do >> this, you need to route packets based on which NAT rule translated them. >> >> I have not tried this myself, but I think you could do this: >> >> - add two NAT rules and place an address from each internet connections >> in Translated Source of each rule. One address per rule. Say, nat rule 1 >> uses address from eth1 and nat rule 2 uses address from eth2 >> >> - make these NAT rules match some service, such as send all HTTP to one >> ISP and everything else to another or choose some other division of >> services. You can use negation in the service rule element, such as " ! >> http" for "everything except http". >> >> - add policy rule to match the same service you used in the first nat >> rule, with action "Routing" and configure it to send packets to eth1. Double >> click on the action in the GUI to open dialog where you can edit its >> parameters >> >> - Add second policy rule to match the same service as nat rule 2 and >> action "Routing" and configure it to send packets to eth2. >> >> This will send packets to the "right" interface and gateway depending on >> which NAT rule translates them. >> >> --vk >> >> >> > |