IPtables and 2 ISP's

[Solidus]

I've been having this problem for months now and can't seem to fix it.

I have a debian firewall with 2 routers connected to it.
One runs our Webafrica account and the other an IS account, I can only access the router with the Webafrica account as the other one is controlled by IS themselves.

I'm a major networking noob and these routers are configured with various scripts which write settings to iptables.Now the problem I'm having is, I can only use the 1Mb IS line and all attempts to switch over to the 4Mb have been fruitless.

Can anyone help me?

 

[s0lar]

output of:

ifconfig

and

route -n

?

I think it would rather be a routing issue, otherwise for iptables output:

iptables -L -n
iptables -L -n -t nat

 

[Solidus]

ifconfig yields:

eth0

route -n

 

[s0lar]

I assume routing looks like:

eth0 - to IS
eth1 - to 4mb
eth2 - local network

Do speedtest at www.speedtest.net before you make the below changes and compare (without any proxy):

route add -net 69.17.117.0/24 dev eth1

This will push www.speedtest.net through what I assume is you 4mb account. Once you are happy you found the right interface do a trace route to get the IP of your gateway.

If this doesnt work check that iptables is not mangling the packets via

iptables -L -n -t mangle

 

[Solidus]

Ok I done that but now I'm getting a "No Route to Host" for speedtest.

the iptables -L -n -t mangle yields this:

Chain PREROUTING (policy ACCEPT)

 

[s0lar]

Ok, to save yourself the hassle trace out physically the cables so you know which goes to which router and interface i.e. eth0 - IS or whatever. Then you can do the correct routing

also dont show your public IP's in future. I would edit your previous post if I were you there are a few bored people who would take up the challenge on your IP.

the mangle rules wourk inconjuction with iproute2, a "ip route ls" would show how and where these are going. Once you got the correct interface you can change those.

 

[v3gout]

Your firewall's default route is set to use the IS connection:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 196.36.10.113 0.0.0.0 UG 0 0 0 eth0
Don't you just need to change the default route to switch to the 4Mb line? What have you tried thus far?

 

[Solidus]

Ok, to save yourself the hassle trace out physically the cables so you know which goes to which router and interface i.e. eth0 - IS or whatever. Then you can do the correct routing

also dont show your public IP's in future. I would edit your previous post if I were you there are a few bored people who would take up the challenge on your IP.

the mangle rules wourk inconjuction with iproute2, a "ip route ls" would show how and where these are going. Once you got the correct interface you can change those.

Thanks for your help man and the advice.

I have traced the cables and eth0 is IS, eth1 Webafrica, eth2, network.
How do I go about changing the routing? This is where I don't like fiddling for fear of breaking it

 

[Solidus]

Your firewall's default route is set to use the IS connection:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 196.36.10.113 0.0.0.0 UG 0 0 0 eth0
Don't you just need to change the default route to switch to the 4Mb line? What have you tried thus far?

How do I change the gateway route?

All I've done thus far is fiddle with a saved IPtables file which renders my connection inactive

 

[s0lar]

Your firewall's default route is set to use the IS connection:
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 196.36.10.113 0.0.0.0 UG 0 0 0 eth0
Don't you just need to change the default route to switch to the 4Mb line? What have you tried thus far?

if just the network segment going to www.speedtest.net doesnt work why change the entire gateway?

 

[s0lar]

This is where I don't like fiddling for fear of breaking it

a network reload will put your old system back, the commands dont commit anything.

 

[Solidus]

a network reload will put your old system back, the commands dont commit anything.

I've tried the reload, I know iptables are flushed on a reboot yes.
But once the machine is back up I have no internet connection at all.
THen I'm forced to restore a saved iptables file which routes everything out the IS line

 

[s0lar]

I've tried the reload, I know iptables are flushed on a reboot yes.
But once the machine is back up I have no internet connection at all.
THen I'm forced to restore a saved iptables file which routes everything out the IS line

keep a backup of you confs and comment out anything you see that included 80,443. this way you can get passed the overly complex iproute stuff and keep you connection much the same without dropping your tunnels etc. i saw before you deleted it iptables was setting a mangle bit for 80 and 443.

 

[s0lar]

to see what i mean by setting the bit in the header and routing via iproute, checkout http://www.faqs.org/docs/Linux-HOWTO/Adv-Routing-HOWTO.html

 

[Solidus]

Thanks s0lar, I'll see if I can make sense of it.
I don't know why I can't grasp this, its like my kryptonite or something

 

[s0lar]

Thanks s0lar, I'll see if I can make sense of it.
I don't know why I can't grasp this, its like my kryptonite or something

Its pretty hardcore but a good setup you have there. As per the routing guide:

Netfilter allows us to filter packets, or mangle their headers. One special feature is that we can mark a packet with a number. This is done with the --set-mark facility.

As an example, this command marks all packets destined for port 25, outgoing mail:

# iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 \
-j MARK --set-mark 1

Let's say that we have multiple connections, one that is fast (and expensive, per megabyte) and one that is slower, but flat fee. We would most certainly like outgoing mail to go via the cheap route.

We've already marked the packets with a '1', we now instruct the routing policy database to act on this:

# echo 201 mail.out >> /etc/iproute2/rt_tables
# ip rule add fwmark 1 table mail.out
# ip rule ls
0: from all lookup local
32764: from all fwmark 1 lookup mail.out
32766: from all lookup main
32767: from all lookup default

so if you comment out the "--set-mark " where you have 80 and 443 the "route add -net" i gave you earlier will route it over the 4mb line. finished! goodluck then.