redirect routing on non-default interface

Applications IP Networking
1

Hello list membes

I have a linux running firewall/router machine, connecting LAN to the internet with two interfaces (no load balancing or other connections). One is a fast connection with dynamic IP (ADSL) which is the default route, the other is a static IP (T3) connection (used for mail sever and other services available from www).
Additional I want to provide our intranet (located in the LAN) access to workes outside the office, using a port on the static firewall IP, which will be redirected (dnat) by iptables prerouting rule and allowed forwarding to LAN intranet sever port.
The scenario is woking when the T3 connection is default gateway in the main routing table. It is not working when I switch the default gateway to the ADSL connection.
The incoming packets are trackable with tcpdump and dnat redirect in the prerouting table is working (notification in syslog by iptables). Missing are the packets on the interface to LAN and the forwarding notification by iptables is also missing. So I think this is a routing problem.

I hope someone can help, or getting me clues what to check.

Thank you,

Oliver

Here is some information on the network topology and snips from the routing/firewall script:

                                  /-------------------\
                                  |       DMZ         |
                                  |  static IP        |
                                  \-------------------/
                                         |
                                       2 |
                                  /--------------------------------\
                    StaticIP      | Static IP                      |
                  /----------\  1 |                                | 0  /-----------------\
                  |    T3    | -- |       Firewall/Router          | -- |   LAN           |
                / \----------/    |                                |    |                 |
               /                  |                                |    \-----------------/
/-------\     /                   \--------------------------------/ 
|  WWW  | ---<                           |                           
\-------/     \                        3 |                           
               \                         |                           
                \ /----------\           |         
                  |   ADSL   | ---------/                 
                  \----------/                    
                    DynamicIP                              
                                                                     
                                                                     


function SetIPROUTEmain () {
   
    ExitStatus=0
    echo -en " - Setting Routing table main " >>$MessageDev
    $IP route add $LAN_IP_RANGE dev $LAN_IFACE src $LAN_IP
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $ADSL_IP_RANGE dev $ADSL_IFACE src $ADSL_IP
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $DMZ_IP_RANGE dev $DMZ_IFACE src $DMZ_IP
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $T3_GATEWAY dev $T3_IFACE src $T3_IP
    ExitStatus=$(($ExitStatus+$?))

    $IP route add default via $ADSL_GATEWAY dev $ADSL_IFACE
    ExitStatus=$(($ExitStatus+$?))

    $IP route flush cache
    ExitStatus=$(($ExitStatus+$?))
    PRINT_EXIT_STATUS $ExitStatus
    echo >>$MessageDev
}
function SetIPROUTEadsl () {
   
    ExitStatus=0
    echo -en " - Setting Routing table ADSL " >>$MessageDev

    $IP route add $ADSL_IP_RANGE dev $ADSL_IFACE src $ADSL_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $T3_GATEWAY dev $T3_IFACE src $T3_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $DMZ_IP_RANGE dev $DMZ_IFACE src $DMZ_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $LAN_IP_RANGE dev $LAN_IFACE src $LAN_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $LO_IP_RANGE dev $LO_IFACE src $LO_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))
    $IP route add default via $ADSL_GATEWAY dev $ADSL_IFACE table ADSL
    ExitStatus=$(($ExitStatus+$?))

    $IP rule add from $ADSL_IP table ADSL
    ExitStatus=$(($ExitStatus+$?))

    $IP route flush cache
    ExitStatus=$(($ExitStatus+$?))
    PRINT_EXIT_STATUS $ExitStatus
    echo >>$MessageDev
   
}   
function SetIPROUTEt3 () {
   
    ExitStatus=0
    echo -en " - Setting Routing table T3 " >>$MessageDev

    $IP route add $ADSL_IP_RANGE dev $ADSL_IFACE src $ADSL_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $T3_GATEWAY dev $T3_IFACE src $T3_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $DMZ_IP_RANGE dev $DMZ_IFACE src $DMZ_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $LAN_IP_RANGE dev $LAN_IFACE src $LAN_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add $LO_IP_RANGE dev $LO_IFACE src $LO_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP route add default via $T3_GATEWAY dev $T3_IFACE table T3
    ExitStatus=$(($ExitStatus+$?))

    $IP rule add from $T3_IP table T3
    ExitStatus=$(($ExitStatus+$?))
    $IP rule add from $DMZ_IP_RANGE table T3
    ExitStatus=$(($ExitStatus+$?))
 
    $IP route flush cache
    ExitStatus=$(($ExitStatus+$?))
    PRINT_EXIT_STATUS $ExitStatus
    echo >>$MessageDev
   
}   



function IPT_Intranet () {

    #-------------------------------------------------------------------------------
    # Pierce Port 20080 to Intranet WWW
    if [ "$Enable_INTRANET" = "y" ] ; then
   
        ExitStatus=0
        echo -ne " - Establish INTRANET rules " >>$MessageDev

        $IPTABLES -t nat -A PREROUTING -p TCP -i $T3_IFACE --dport 20080 -j LOG --log-prefix "DNAT 20080:"
        ExitStatus=$(($ExitStatus+$?))
        $IPTABLES -t nat -A PREROUTING -p TCP -i $T3_IFACE -d $DMZ2_IP --dport 20080 -j DNAT --to-destination $WWW_SERVER_IP:81
        ExitStatus=$(($ExitStatus+$?))
   
        $IPTABLES -A FORWARD -p TCP  -d $WWW_SERVER_IP -j LOG --log-level DEBUG --log-prefix "IPT FORWARD INTRANET:"
        ExitStatus=$(($ExitStatus+$?))
        $IPTABLES -A FORWARD -p TCP -i $T3_IFACE -d $WWW_SERVER_IP -o $LAN_IFACE --dport 81 -j ACCEPT
        ExitStatus=$(($ExitStatus+$?))

        PRINT_EXIT_STATUS $ExitStatus
        echo >>$MessageDev
   
    fi

}
2

Nothing is obvious to me. What do tables T3 and ADSL look like?

3

Both tables T3 and ADSL are mostly the same, except for the default route which is set to T3 or ADSL interface accordingly.
The main table contains all routing information like also T3 and ADSL tables do, but also contains iprules to use specific tables for incoming traffic on T3 or ADSL interface.
The T3 interface is connected with a static IP router to the providers network (and internet). The ADSL interface is connected via a common DSL modem/router.

firewall:~# ip route list
XXX.XXX.250.185 dev eth1  scope link  src XXX.XXX.250.186
XXX.XXX.250.184/29 dev eth2  scope link  src XXX.XXX.250.186
192.168.11.0/24 dev eth3  scope link  src 192.168.11.9
192.168.10.0/24 dev eth0  scope link  src 192.168.10.9
default via 192.168.11.92 dev eth3

firewall:~# ip route list table ADSL
XXX.XXX.250.185 dev eth1  scope link  src XXX.XXX.250.186
XXX.XXX.250.184/29 dev eth2  scope link  src XXX.XXX.250.186
192.168.11.0/24 dev eth3  scope link  src 192.168.11.9
192.168.10.0/24 dev eth0  scope link  src 192.168.10.9
127.0.0.0/8 dev lo  scope link  src 127.0.0.1
default via 192.168.11.92 dev eth3

firewall:~# ip route list table T3
XXX.XXX.250.185 dev eth1  scope link  src XXX.XXX.250.186
XXX.XXX.250.184/29 dev eth2  scope link  src XXX.XXX.250.186
192.168.11.0/24 dev eth3  scope link  src 192.168.11.9
192.168.10.0/24 dev eth0  scope link  src 192.168.10.9
127.0.0.0/8 dev lo  scope link  src 127.0.0.1
default via XXX.XXX.250.185 dev eth1
4

I noticed there were no follow ups. Have you solved this problem yet?

5

The issue is not solved yet.
Based on a discussion on another forum I tried policy routing on incoming interface without success. Now packet marking and policy routing is up to a try.

You can follow the other thread:
[other] redirect routing on non-default interface - Ubuntu Forums