0

I have 3 interface(2 wan, 1 local) and enabled forward, but only one incoming interface(ppp0) can to local destination, the following is my iptable command:

iptables -t nat -A PREROUTING -i ppp0 -p tcp -m multiport --destination-ports 80,443 -j DNAT --to 10.66.66.253
iptables -t nat -A PREROUTING -i eth1 -p tcp -m multiport --destination-ports 80,443 -j DNAT --to 10.66.66.253


############

How can I do let eth1 incoming to destination?

Here is my ip rules and rt_tables:

root@net:~# ip rule
0:  from all lookup local
32762:  from all fwmark 0x2 lookup int0.out
32763:  from all fwmark 0x1 lookup ext0.out
32764:  from all to 61.x.x.x lookup ext0.out
32765:  from 61.x.x.x lookup ext0.out
32766:  from all lookup main
32767:  from all lookup default

root@net:~# ip route show table int0.out
default via 168.x.x.254 dev ppp0
10.66.66.0/24 dev eth2 scope link src 10.66.66.254

root@net:~# ip route show table ext0.out
default via 61.x.x.254 dev eth1
10.66.66.0/24 dev eth2 scope link src 10.66.66.254

What did I miss(-understand)?

Thanks for any help!

Cloud
  • 1
  • 3

1 Answers1

0

You should use the connmark target in your firewall rule set to make the replies pass through same interface, through that the original packets had been received. In your current configuration even if the packets had been receieved on the eth1 interface and DNAT'ted, the replies are routed through default route, because the firewall mark hasn't been set.

I see, you have created additional rules for the routing by firewall marks. So let's use it:

# set mark of the original redirected packets
iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i ppp0 -j MARK --set-mark 0x2

# save the firewall mark inside the conntrack entry (once for new connection)
iptables -t mangle -A POSTROUTING \
         -o eth2 -m conntrack --ctstate NEW \
    -j CONNMARK --save-mark

# for replies restore the firewall mark from conntrack entry
# to route replies through right interface
iptables -t mangle -A PREROUTING -i eth2 \
    -j CONNMARK --restore-mark

You can improve these rules with additinal matches. Also you can even avoid CONNMARK and use only -m conntrack --ctstate DNAT --ctdir REPLY --ctorigdst ... match.

Also check the rp filter and set it into loose mode with sysctl.

To troubleshoot issues check the rule counters (iptables-save -c command), list the conntrack table (conntrack -L command) and run the tcpdump.

Anton Danilov
  • 5,082
  • 2
  • 13
  • 23