# Internet Routing problem [SOLVED]

## Dreadfull2007

Hi all, i checked many topics but still couldn't make it work, here's my config:

ifconfig:

```

eth0      Link encap:Ethernet  HWaddr 00:50:BF:B2:C1:84

          inet addr:86.55.164.100  Bcast:86.55.164.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2698100 errors:0 dropped:0 overruns:0 frame:0

          TX packets:6347497 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:213438385 (203.5 Mb)  TX bytes:614578657 (586.1 Mb)

          Interrupt:9 Base address:0x2400

eth1      Link encap:Ethernet  HWaddr 00:50:BF:B8:07:BA

          inet addr:81.181.157.98  Bcast:81.181.157.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2688190 errors:0 dropped:0 overruns:0 frame:0

          TX packets:36990 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:210334901 (200.5 Mb)  TX bytes:3867527 (3.6 Mb)

          Interrupt:10 Base address:0x4800

eth2      Link encap:Ethernet  HWaddr 00:50:BF:B8:07:6D

          inet addr:192.168.192.1  Bcast:192.168.192.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:5203914 errors:0 dropped:0 overruns:0 frame:0

          TX packets:39574 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:428929236 (409.0 Mb)  TX bytes:2122514 (2.0 Mb)

          Interrupt:11 Base address:0x6c00

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:204682 errors:0 dropped:0 overruns:0 frame:0

          TX packets:204682 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:27402793 (26.1 Mb)  TX bytes:27402793 (26.1 Mb)

```

ip addr show:

```

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop

    link/ether 3a:d4:22:09:1a:c1 brd ff:ff:ff:ff:ff:ff

3: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32

    link/ether 2e:6c:fe:ad:bd:f4 brd ff:ff:ff:ff:ff:ff

4: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop qlen 32

    link/ether 06:f9:6e:a5:f0:f3 brd ff:ff:ff:ff:ff:ff

5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:50:bf:b2:c1:84 brd ff:ff:ff:ff:ff:ff

    inet 86.55.164.100/24 brd 86.55.164.255 scope global eth0

    inet 86.55.164.101/24 brd 86.55.164.255 scope global secondary eth0

    inet 86.55.164.102/24 brd 86.55.164.255 scope global secondary eth0

    inet 86.55.164.103/24 brd 86.55.164.255 scope global secondary eth0

    inet 86.55.164.104/24 brd 86.55.164.255 scope global secondary eth0

    inet 86.55.164.105/24 brd 86.55.164.255 scope global secondary eth0

6: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:50:bf:b8:07:ba brd ff:ff:ff:ff:ff:ff

    inet 81.181.157.98/24 brd 81.181.157.255 scope global eth1

    inet 81.181.157.99/24 brd 81.181.157.255 scope global secondary eth1

7: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

    link/ether 00:50:bf:b8:07:6d brd ff:ff:ff:ff:ff:ff

    inet 192.168.192.1/24 brd 192.168.192.255 scope global eth2

    inet 192.168.192.2/24 brd 192.168.192.255 scope global secondary eth2

8: teql0: <NOARP> mtu 1500 qdisc noop qlen 100

    link/void

9: tunl0: <NOARP> mtu 1480 qdisc noop

    link/ipip 0.0.0.0 brd 0.0.0.0

10: gre0: <NOARP> mtu 1476 qdisc noop

    link/gre 0.0.0.0 brd 0.0.0.0

```

iptables -L:

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain ICMP (0 references)

target     prot opt source               destination

Chain TCP (0 references)

target     prot opt source               destination

Chain UDP (0 references)

target     prot opt source               destination

```

(removed old rules till i make it work)

iptables -t nat -L:

```

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

(tryied with SNAT/DNAT too)

ip rule:

```

0:      from all lookup local

32672:  from 81.181.157.99 lookup rds

32673:  from 81.181.157.98 lookup rds

32674:  from 86.55.164.105 lookup evolva

32675:  from 86.55.164.104 lookup evolva

32677:  from 86.55.164.102 lookup evolva

32678:  from 86.55.164.101 lookup evolva

32679:  from 86.55.164.100 lookup evolva

32766:  from all lookup main

32767:  from all lookup default

```

ip route:

```

192.168.192.3 dev eth0  scope link  src 86.55.164.103

192.168.192.0/24 dev eth2  scope link  src 192.168.192.1

81.181.157.0/24 dev eth1  proto kernel  scope link  src 81.181.157.98

86.55.164.0/24 dev eth0  proto kernel  scope link  src 86.55.164.100

127.0.0.0/8 dev lo  scope link

default via 86.55.164.1 dev eth0

```

results: pinging works, web/other don't

tcpdump output when trying to surf on web:

```

13:34:18.963114 IP 86.55.164.103.4947 > www.yahoo.com.http: S 3191559746:3191559746(0) win 32767 <mss 1460,nop,wscale 0,nop,nop,sackOK>

13:34:21.912616 IP 86.55.164.103.4947 > www.yahoo.com.http: S 3191559746:3191559746(0) win 32767 <mss 1460,nop,wscale 0,nop,nop,sackOK>

```

by removing 192.168.192.3 dev eth0  scope link  src 86.55.164.103 nothing changes except in traceroute (from windows) instead of 86.55.164.103 i get 192.168.192.3 (my lan ip)

my scheme:

eth0 - isp1 (gw 86.55.164.1)

eth1 - isp2 (gw 81.181.157.98)

eth2 - lan (192.168.192.1, 192.168.192.2)

actually all 3 nics are connected to the same switch (isp's are from lan too)

i'm trying to route 192.168.192.3 (myself) throughout 86.55.164.103, 192.168.192.4 by 86.55.164.104 and so on

i did read on tldp.org / netfilter.org / lartc.org .. (weird .. still nothing)

Q1: Do i need to add any ip's to a 3rd table for eth2 ? (already tried)

Q2: Could it be a problem because i have two isp's ? (even if i'm curently using only one, eth1 isn't used right now)

This is what i tryied for SNAT/DNAT:

iptables -t nat -A POSTROUTING -s 192.168.192.3 -j SNAT --to 86.55.164.103

iptables -t nat -A PREROUTING -d 86.55.164.103 -j DNAT --to 192.168.192.3

(with MASQUERADE rule removed and FORWARD rule still set to ACCEPT everyting on any iface)

thanks in advance

P.S: I have everything built-in into the kernel (NAT/etc) and:

/proc/sys/net/ipv4/ip_forward - 1

/proc/sys/net/ipv4/tcp_syncookies - 1

/proc/sys/net/ipv4/conf/*/rp_filter - 1

/proc/sys/net/ipv4/conf/*/accept_source_route - 1

/proc/sys/net/ipv4/conf/*/forwarding - 1

/proc/sys/net/ipv4/conf/*/mc_forwarding - 1

CONFIG_IP_MULTIPLE_TABLES - 1 (for source routing)

Later Edit:

Tryied the "easiest" way possible ... still it's a "NO", still being able to ping *only*

ip route:

```

81.181.157.0/24 dev eth1  proto kernel  scope link  src 81.181.157.98

86.55.164.0/24 dev eth0  proto kernel  scope link  src 86.55.164.100

127.0.0.0/8 dev lo  scope link

default via 86.55.164.1 dev eth0

```

ip rule:

```

0:      from all lookup local

32764:  from 81.181.157.0/24 lookup rds

32765:  from 86.55.164.0/24 lookup evolva

32766:  from all lookup main

32767:  from all lookup default

```

iptables -L:

```

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

iptables -t nat -L:

```

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

ip route show table evolva:

```

86.55.164.0/24 dev eth0  scope link  src 86.55.164.100

default via 86.55.164.1 dev eth0

```

ip route show table rds:

```

81.181.157.0/24 dev eth1  scope link  src 81.181.157.98

default via 81.181.157.1 dev eth1

```

Last edited by Dreadfull2007 on Tue May 20, 2008 4:08 am; edited 1 time in total

----------

## nativemad

Hi

I have a bit different situation... two times the same isp and two lans... 

as i remember, you don't need to have a third table besides the main one... You only have to tell the internal interface to lookup the desired table!   :Wink: 

ip route:

```

192.168.0.0/24 dev eth0  scope link

192.168.10.0/24 dev eth3  scope link

212.X.X.0/22 dev eth2  scope link  src 212.X.X.155  metric 20

212.X.X.0/22 dev eth1  scope link  src 212.X.X.215  metric 30

default via 212.X.X.1 dev eth2

default via 212.X.X.1 dev eth2  metric 1

default via 212.X.X.1 dev eth1  metric 2

```

ip rule:

```

0:      from all lookup local

32760:  from all fwmark 0x2 lookup T4

32761:  from all fwmark 0x1 lookup T1

32762:  from 192.168.10.0/24 lookup T4        <-------------------

32763:  from 192.168.0.0/24 lookup T1         <-------------------

32764:  from 212.X.X.155 lookup T4

32765:  from 212.X.X.215 lookup T1

32766:  from all lookup main

32767:  from all lookup default

```

ip route show table T1 (T4 looks similar for me...):

```

192.168.0.0/24 dev eth0  scope link

192.168.10.0/24 dev eth3  scope link

212.X.X.0/22 dev eth1  scope link  src 212.X.X.215

127.0.0.0/8 dev lo  scope link

default via 212.X.X.1 dev eth1

```

Hope this helps a bit... I know its hard!  :Wink: 

----------

## Dreadfull2007

thanks, i'll try right now but what about iptables ? what are you using ? MASQUERADING or SNAT/DNAT ? what about the FORWARD rule (should it work if default policy is ACCEPT ?)

LE:

tryied with these settings:

ip rule:

```

0:      from all lookup local

32749:  from 86.55.164.100 lookup evolva

32750:  from 81.181.157.99 lookup rds

32751:  from 81.181.157.98 lookup rds

32752:  from 86.55.164.105 lookup evolva

32753:  from 86.55.164.104 lookup evolva

32754:  from 86.55.164.103 lookup evolva

32755:  from 86.55.164.102 lookup evolva

32756:  from 86.55.164.101 lookup evolva

32766:  from all lookup main

32767:  from all lookup default

```

ip route:

```

192.168.192.0/24 dev eth2  scope link

81.181.157.0/24 dev eth1  proto kernel  scope link  src 81.181.157.98

86.55.164.0/24 dev eth0  scope link  src 86.55.164.100

127.0.0.0/8 dev lo  scope link

default via 86.55.164.1 dev eth0

```

ip route show table evolva:

```

192.168.192.0/24 dev eth2  scope link

86.55.164.0/24 dev eth0  scope link  src 86.55.164.100

127.0.0.0/8 dev lo  scope link

default via 86.55.164.1 dev eth0

```

```

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

```

```

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

same result: pinging works, but that's it, tracert from win shows me -> 192.168.192.1 -> 86.55.164.1 (isp gw) -> etc (works)

- without MASQUERADE pinging doesn't work either

i feel i'm close but .. still stuck  :Sad: 

----------

## nativemad

I don't have any fixed ips... so its a bit different (at least the beginning...)! I use something like this for setting all up (i've cuted out some pieces...  :Wink:  )

```

#!/bin/bash

IPETH0=(`ifconfig eth0 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)

IPETH1=(`ifconfig eth1 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)

IPETH2=(`ifconfig eth2 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)

IPETH3=(`ifconfig eth3 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)

IPNET0="192.168.0.0/24"

IPNET1="192.168.10.0/24"

IPRANET="212.X.X.0/22"

RAGATE="212.X.X.1"

IFINT0="eth0"

IFINT1="eth3"

IFEXT0="eth1"

IFEXT1="eth2"

PRIVATE="192.168.0.0/16"

LOOP=127.0.0.1

ip route flush table T1

ip route flush table T4

ip route flush table main

ip route add $IPNET0 dev $IFINT0

ip route add $IPRANET dev $IFEXT0 src $IPETH1 table T1

ip route add $IPRANET dev $IFEXT0 src $IPETH1 prio 30

ip route add default via $RAGATE dev $IFEXT0 table T1

ip rule add from $IPETH1 table T1

ip route add $IPNET0 dev $IFINT0 table T1

ip route add $IPNET1 dev $IFINT1 table T1

ip route add 127.0.0.0/8 dev lo table T1

ip route add $IPNET1 dev $IFINT1

ip route add $IPRANET dev $IFEXT1 src $IPETH2 table T4

ip route add $IPRANET dev $IFEXT1 src $IPETH2 prio 20

ip route add default via $RAGATE dev $IFEXT1 table T4

ip rule add from $IPETH2 table T4

ip route add $IPNET1 dev $IFINT1 table T4

ip route add $IPNET0 dev $IFINT0 table T4

ip route add 127.0.0.0/8 dev lo table T4

ip rule add from $IPNET0 table T1

ip rule add from $IPNET1 table T4

ip route add default via $RAGATE dev $IFEXT0 table main prio 20

ip route add default via $RAGATE dev $IFEXT1 table main prio 10

ip route add default via $RAGATE

iptables --flush

iptables -t nat --flush

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

iptables -P OUTPUT DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -F

iptables -P OUTPUT ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A PREROUTING -t mangle -i $IFINT0 -j MARK --set-mark 1

iptables -A PREROUTING -t mangle -i $IFINT1 -j MARK --set-mark 2

iptables -A PREROUTING -t mangle -i $IFEXT0 -j MARK --set-mark 1

iptables -A PREROUTING -t mangle -i $IFEXT1 -j MARK --set-mark 2

ip rule add from all fwmark 1 table T1

ip rule add from all fwmark 2 table T4

iptables -A INPUT -i $IFEXT0 -s $LOOP -j DROP

iptables -A FORWARD -i $IFEXT0 -s $LOOP -j DROP

iptables -A INPUT -i $IFEXT0 -d $LOOP -j DROP

iptables -A FORWARD -i $IFEXT0 -d $LOOP -j DROP

iptables -A INPUT -i $IFEXT1 -s $LOOP -j DROP

iptables -A FORWARD -i $IFEXT1 -s $LOOP -j DROP

iptables -A INPUT -i $IFEXT1 -d $LOOP -j DROP

iptables -A FORWARD -i $IFEXT1 -d $LOOP -j DROP

iptables -A FORWARD -i $IFEXT0 -s 192.168.0.0/16 -j DROP

iptables -A FORWARD -i $IFEXT0 -s 172.16.0.0/12 -j DROP

iptables -A FORWARD -i $IFEXT0 -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i $IFEXT0 -s 192.168.0.0/16 -j DROP

iptables -A INPUT -i $IFEXT0 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i $IFEXT0 -s 10.0.0.0/8 -j DROP

iptables -A FORWARD -i $IFEXT1 -s 192.168.0.0/16 -j DROP

iptables -A FORWARD -i $IFEXT1 -s 172.16.0.0/12 -j DROP

iptables -A FORWARD -i $IFEXT1 -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i $IFEXT1 -s 192.168.0.0/16 -j DROP

iptables -A INPUT -i $IFEXT1 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i $IFEXT1 -s 10.0.0.0/8 -j DROP

iptables -A FORWARD -s ! 192.168.0.0/16 -i $IFINT0 -j DROP

iptables -A FORWARD -s ! 192.168.0.0/16 -i $IFINT1 -j DROP

iptables -A INPUT -s $LOOP -j ACCEPT

iptables -A INPUT -d $LOOP -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -i $IFINT1 -j ACCEPT

iptables -A FORWARD -i $IFINT1 -j ACCEPT

iptables -A INPUT -i $IFINT0 -j ACCEPT

iptables -A FORWARD -i $IFINT0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o $IFEXT0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o $IFEXT1 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state NEW -o $IFEXT0 -j ACCEPT

iptables -A FORWARD -m state --state NEW -o $IFEXT1 -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s $IPNET0 -o $IFEXT0 -j SNAT --to $IPETH1

iptables -t nat -A POSTROUTING -s $IPNET1 -o $IFEXT1 -j SNAT --to $IPETH2

```

as you see, i use SNAT.  :Wink: 

I still miss the ip route for your internal interface...

----------

## Dreadfull2007

erm ... ok ... modified that script so it suits my needs, tell me if i went wrong somewhere (i don't think  :Neutral: )

```

#!/bin/bash

IPETH0=(`ifconfig eth0 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)

IPETH1=(`ifconfig eth1 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)

IPETH2=(`ifconfig eth2 | grep inet | cut -d ":" -f 2 | cut -d " " -f 1`)

IPNET0="192.168.192.0/24"

IPRANET0="86.55.164.0/24"

IPRANET1="81.181.157.0/24"

RAGATE0="86.55.164.1"

RAGATE1="81.181.157.1"

IFINT0="eth2"

IFEXT0="eth0"

IFEXT1="eth1"

PRIVATE="192.168.192.0/24"

LOOP=127.0.0.1

ip route flush table evolva

ip route flush table rds

ip route flush table main

ip route add $IPNET0 dev $IFINT0

ip route add $IPRANET0 dev $IFEXT0 src $IPETH0 table evolva

ip route add $IPRANET0 dev $IFEXT0 src $IPETH0 prio 30

ip route add default via $RAGATE0 dev $IFEXT0 table evolva

ip rule add from $IPETH0 table evolva

ip route add $IPNET0 dev $IFINT0 table evolva

ip route add 127.0.0.0/8 dev lo table evolva

ip route add $IPRANET1 dev $IFEXT1 src $IPETH1 table rds

ip route add $IPRANET1 dev $IFEXT1 src $IPETH1 prio 20

ip route add default via $RAGATE1 dev $IFEXT1 table rds

ip rule add from $IPETH1 table rds

ip route add $IPNET0 dev $IFINT0 table rds

ip route add 127.0.0.0/8 dev lo table rds

ip rule add from $IPNET0 table evolva

ip route add default via $RAGATE0 dev $IFEXT0 table main prio 20

ip route add default via $RAGATE1 dev $IFEXT1 table main prio 10

ip route add default via $RAGATE0

iptables --flush

iptables -t nat --flush

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

iptables -P OUTPUT DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -F

iptables -P OUTPUT ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A PREROUTING -t mangle -i $IFINT0 -j MARK --set-mark 1

iptables -A PREROUTING -t mangle -i $IFEXT0 -j MARK --set-mark 1

iptables -A PREROUTING -t mangle -i $IFEXT1 -j MARK --set-mark 2

ip rule add from all fwmark 1 table evolva

ip rule add from all fwmark 2 table rds

iptables -A INPUT -i $IFEXT0 -s $LOOP -j DROP

iptables -A FORWARD -i $IFEXT0 -s $LOOP -j DROP

iptables -A INPUT -i $IFEXT0 -d $LOOP -j DROP

iptables -A FORWARD -i $IFEXT0 -d $LOOP -j DROP

iptables -A INPUT -i $IFEXT1 -s $LOOP -j DROP

iptables -A FORWARD -i $IFEXT1 -s $LOOP -j DROP

iptables -A INPUT -i $IFEXT1 -d $LOOP -j DROP

iptables -A FORWARD -i $IFEXT1 -d $LOOP -j DROP

iptables -A FORWARD -i $IFEXT0 -s 192.168.192.0/24 -j DROP

iptables -A FORWARD -i $IFEXT0 -s 172.16.0.0/12 -j DROP

iptables -A FORWARD -i $IFEXT0 -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i $IFEXT0 -s 192.168.192.0/24 -j DROP

iptables -A INPUT -i $IFEXT0 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i $IFEXT0 -s 10.0.0.0/8 -j DROP

iptables -A FORWARD -i $IFEXT1 -s 192.168.192.0/24 -j DROP

iptables -A FORWARD -i $IFEXT1 -s 172.16.0.0/12 -j DROP

iptables -A FORWARD -i $IFEXT1 -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i $IFEXT1 -s 192.168.192.0/24 -j DROP

iptables -A INPUT -i $IFEXT1 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i $IFEXT1 -s 10.0.0.0/8 -j DROP

iptables -A FORWARD -s ! 192.168.192.0/24 -i $IFINT0 -j DROP

iptables -A INPUT -s $LOOP -j ACCEPT

iptables -A INPUT -d $LOOP -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -i $IFINT0 -j ACCEPT

iptables -A FORWARD -i $IFINT0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o $IFEXT0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW -o $IFEXT1 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state NEW -o $IFEXT0 -j ACCEPT

iptables -A FORWARD -m state --state NEW -o $IFEXT1 -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -s $IPNET0 -o $IFEXT0 -j SNAT --to $IPETH0

```

wich gave me:

ip route:

```

192.168.192.0/24 dev eth2  scope link

81.181.157.0/24 dev eth1  scope link  src 81.181.157.98  metric 20

86.55.164.0/24 dev eth0  scope link  src 86.55.164.100  metric 30

default via 86.55.164.1 dev eth0

default via 81.181.157.1 dev eth1  metric 10

default via 86.55.164.1 dev eth0  metric 20

```

ip route show table evolva:

```

192.168.192.0/24 dev eth2  scope link

86.55.164.0/24 dev eth0  scope link  src 86.55.164.100

127.0.0.0/8 dev lo  scope link

default via 86.55.164.1 dev eth0

```

ip route show table rds:

```

192.168.192.0/24 dev eth2  scope link

81.181.157.0/24 dev eth1  scope link  src 81.181.157.98

127.0.0.0/8 dev lo  scope link

default via 81.181.157.1 dev eth1

```

ip rule:

```

0:      from all lookup local

32761:  from all fwmark 0x2 lookup rds

32762:  from all fwmark 0x1 lookup evolva

32763:  from 192.168.192.0/24 lookup evolva

32764:  from 81.181.157.98 lookup rds

32765:  from 86.55.164.100 lookup evolva

32766:  from all lookup main

32767:  from all lookup default

```

iptables -L:

```

Chain INPUT (policy DROP)

target     prot opt source               destination

DROP       all  --  localhost            anywhere

DROP       all  --  anywhere             localhost

DROP       all  --  localhost            anywhere

DROP       all  --  anywhere             localhost

DROP       all  --  192.168.192.0/24     anywhere

DROP       all  --  172.16.0.0/12        anywhere

DROP       all  --  10.0.0.0/8           anywhere

DROP       all  --  192.168.192.0/24     anywhere

DROP       all  --  172.16.0.0/12        anywhere

DROP       all  --  10.0.0.0/8           anywhere

ACCEPT     all  --  localhost            anywhere

ACCEPT     all  --  anywhere             localhost

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)

target     prot opt source               destination

DROP       all  --  localhost            anywhere

DROP       all  --  anywhere             localhost

DROP       all  --  localhost            anywhere

DROP       all  --  anywhere             localhost

DROP       all  --  192.168.192.0/24     anywhere

DROP       all  --  172.16.0.0/12        anywhere

DROP       all  --  10.0.0.0/8           anywhere

DROP       all  --  192.168.192.0/24     anywhere

DROP       all  --  172.16.0.0/12        anywhere

DROP       all  --  10.0.0.0/8           anywhere

DROP       all  -- !192.168.192.0/24     anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere            state NEW

ACCEPT     all  --  anywhere             anywhere            state NEW

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere            state NEW

ACCEPT     all  --  anywhere             anywhere            state NEW

Chain ICMP (0 references)

target     prot opt source               destination

Chain TCP (0 references)

target     prot opt source               destination

Chain UDP (0 references)

target     prot opt source               destination

```

iptables -t nat -L:

```

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

SNAT       all  --  192.168.192.0/24     anywhere            to:86.55.164.100

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

if i "monitor" SNAT i see packets/bytes when pinging (seeing with iptables -t nat -nvL)

```

Chain PREROUTING (policy ACCEPT 617K packets, 74M bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 5627 packets, 928K bytes)

 pkts bytes target     prot opt in     out     source               destination

   10   600 SNAT       all  --  *      eth0    192.168.192.0/24     0.0.0.0/0           to:86.55.164.100

```

same about FORWARD

```

Chain FORWARD (policy DROP 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DROP       all  --  eth0   *       127.0.0.1            0.0.0.0/0

    0     0 DROP       all  --  eth0   *       0.0.0.0/0            127.0.0.1

    0     0 DROP       all  --  eth1   *       127.0.0.1            0.0.0.0/0

    0     0 DROP       all  --  eth1   *       0.0.0.0/0            127.0.0.1

    0     0 DROP       all  --  eth0   *       192.168.192.0/24     0.0.0.0/0

    0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0

    0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0

    0     0 DROP       all  --  eth1   *       192.168.192.0/24     0.0.0.0/0

    0     0 DROP       all  --  eth1   *       172.16.0.0/12        0.0.0.0/0

    0     0 DROP       all  --  eth1   *       10.0.0.0/8           0.0.0.0/0

    0     0 DROP       all  --  eth2   *      !192.168.192.0/24     0.0.0.0/0

   56  4002 ACCEPT     all  --  eth2   *       0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           state NEW

    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           state NEW

   28  2554 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

```

(both count for pings/http requests .. so maybe *any* requests .. i really don't get it where's the problem)

Later edit: i think i got it ! i hope there's not a typo or something in the script .. because on ISP #2 it works !

i just moved 192.168.192.0/24 from "lookup evolva" to the other one and changed the SNAT rule and it works (everything) .. weird .. it's a route problem at me or ISP blocking ports (how could he?) cause on the server everything works (both ISPs)

thanks for your help !

----------

## nativemad

Thats really strange... i've seen once that an isp blocks incoming port 80 and outgoing 25 ... you have to use their proxy then...

But if it works in a "single basic setup" (server?) then this shouldn't be a problem...

As i have it quite easy (one lan, one isp, the other lan on the second isp) i havent much looked into the default route in the main table...

Maybe you need a second "ip route add default via $RAGATE0" line for $RAGATE1! Perhaps even with  some weights!   :Question: 

----------

## Dreadfull2007

ouch, you lost me there, why would i need weights ? i was trying to use ISP #1 only

also, why did you use metric and 3 routes ? like this:

```

default via 86.55.164.1 dev eth0

default via 81.181.157.1 dev eth1  metric 10

default via 86.55.164.1 dev eth0  metric 20

```

seems strange for me

for both i was using nexthop some time ago:

```

ip route add default scope global nexthop via 86.55.164.1 dev eth0 weight 1 \

nexthop via 81.181.157.1 dev eth1 weight 1

```

----------

## nativemad

The metrics aren't really necessary... they just make it easier to switch between the lines... (you can't have multiple gw's without metrics or weights afaik)  :Wink: 

The nexthop is then a step further with auto-failover and things like that.

I just thought that the script uses one default gw for the main table... If you then want to use the other line, the maintable doesn't has a valid gw for that ISP... Therefore either enter the second one (with weights, or nexthop) or always switch it with the rest of the script (SNAT & ip rule).

But probably i'm just talking bullshit, as i'm also not a pro in it!   :Razz: 

----------

## Dreadfull2007

thanks very much for the help, topic solved  :Smile: 

----------

