Jump to content

This is the support site for Andrews & Arnold Ltd, a UK Internet provider. Information on these pages is generally for our customers but may be useful to others, enjoy!

Ubuntu 16.04 Full Stack Configuration (with Bonding Config): Difference between revisions

Ubuntu 16.04 Full Stack Configuration (with Bonding Config) (view source)

Revision as of 16:02, 3 May 2017

4,540 bytes added ,  3 May 2017
→‎Bonus: Port based policy routing to a third WAN
 
= Bonus: Port based policy routing to a third WAN =
I also have a third WAN connection (provided by Virgin Media) over which I route some traffic based on the destination port. It’s of course possible to route it based on destination IP, source IP or any combination of routing rules you can think of. It’s also possible to use it as a failover if your PPP connection dies as well (although this guide does not cover this).
Coming soon.
 
Moving forward though I’ll be making assumptions that the third connection is a VM connection (or an “equivalent”) provided by DHCP.
 
== Configure Interface ==
Edit /etc/network/interfaces and configure the interface for the connection, we give it a higher metric to make sure it doesn’t override any default routes we configured, we also provide a post-up script which we’ll cover later:
 
# VMEDIA
auto DEV_VM_WAN
iface DEV_VM_WAN inet dhcp
post-up /usr/local/sbin/fix_vm_policy
metric 100
 
== Fix Firewalling ==
We need to add some more iptables rules to allow this interface to NAT and receive related traffic etc., we won’t bother with IPv6 since we don’t get a v6 address:
 
iptables -A INPUT -i DEV_VM_WAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic" -j ACCEPT
iptables -A FORWARD -i DEV_LAN -o DEV_VM_WAN -m comment --comment "Allow traffic from LAN -> internet" -j ACCEPT
iptables -A FORWARD -i DEV_VM_WAN -o DEV_LAN -m state --state RELATED,ESTABLISHED -m comment --comment "Allow return traffic from internet -> LAN" -j ACCEPT
iptables -t nat -A POSTROUTING -o DEV_VM_WAN -m comment --comment NAT -j MASQUERADE
 
Don’t forget '''netfilter-persistent save && netfilter-persistent''' reload afterwards.
 
== Fix Routing ==
We need to add a new route table, it will be called VMEDIA.
 
echo “20 VMEDIA” >> /etc/iproute2/rt_tables
 
=== /usr/local/sbin/fix_vm_policy ===
Create the script mentioned in post-up earlier. This script does the following:
* Fetch the interface address (a /32 IPv4 in this case)
* Fetch the gateway address
* Check these look like valid IP addresses to avoid any blank routes
* Add a default route via the gateway to the routing table VMEDIA
* Adds a rule to mark traffic from LAN with a destination port of 563 with mark 10
* Adds a rule to source NAT traffic coming back on the interface to have the correct IP address (without this the external IP will not reply to pings for example)
* Adds a rule to send all traffic with mark 10 through the VMEDIA routing table
* Adds a rule to send all traffic destined for the /32 address associated with the connection through the VMEDIA routing table
* Flushes the route cache
* Loosens the return path filter on the interface in question
 
It’s important that you change the rule for port 563 to be your own rule(s) for policy routing. Notice that it is mentioned twice, the first checks if the rule exists, and the second actually adds the rule, so be sure to modify both.
 
#!/bin/bash
echo "IFACE: ${IFACE}"
echo "LOGICAL: ${LOGICAL}"
IFACE_ADDR=`ip addr show dev DEV_VM_WAN | grep "inet " | awk '{print $2}' | sed -E 's/\/[0-9]+$//'`
GWAY_ADDR=`ip route show dev DEV_VM_WAN | grep default | awk '{print $3}'`
(echo ${IFACE_ADDR} | grep -Eq "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$") && echo "VM-FIX IFACE matched" || exit
(echo ${GWAY_ADDR} | grep -Eq "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$") && echo "VM-FIX GWAY matched" || exit
ip route add default via ${GWAY_ADDR} dev DEV_VM_WAN table VMEDIA || true
IPT_CODE=`iptables -t mangle -C PREROUTING -p tcp --dport 563 -s 192.168.1.0/24 -j MARK --set-mark 10 2>&1 || true`
if [[ ! -z ${IPT_CODE// } ]]; then
echo "VM-FIX Adding rule 1"
iptables -t mangle -I PREROUTING 1 -p tcp --dport 563 -s 192.168.1.0/24 -j MARK --set-mark 10 || true
fi
IPT_CODE=`iptables -t nat -C POSTROUTING -o DEV_VM_WAN -j SNAT --to-source ${IFACE_ADDR} 2>&1 || true`
if [[ ! -z ${IPT_CODE// } ]]; then
echo "VM-FIX Adding rule 2"
iptables -t nat -I POSTROUTING 1 -o DEV_VM_WAN -j SNAT --to-source ${IFACE_ADDR} || true
fi
ip rule add fwmark 10 table VMEDIA || true
ip rule add from ${IFACE_ADDR}/32 table VMEDIA || true
ip route flush cache || true
if [ -f /proc/sys/net/ipv4/conf/DEV_VM_WAN/rp_filter ]; then
echo 2 > /proc/sys/net/ipv4/conf/DEV_VM_WAN/rp_filter
fi
 
Then:
 
chmod 0755 /usr/local/sbin/fix_vm_policy
chmod +x /usr/local/sbin/fix_vm_policy
 
You should now be able to bring up that interface and it should put all of its own routes in place. Traffic from the LAN should be routed appropriately.
Pet0r
12

edits

Retrieved from ‘http://support.aa.net.uk/Special:MobileDiff/12167