Всем доброго времени суток!
Имеется роутер на Ubuntu server 14.04. Есть два провайдера.
Задача - выпускать двух пользователей через провайдера1, всех других через провайдера2.
Через первого провайдера так же надо организовать доступ на внутренний сервак по 8080 порту.
Пытался сделать по
https://help.ubuntu.ru/wiki/ip_balancingно мне нужно с натом и без балансировки. пытался адаптировать 1 и 2 способ, не получилось.
Содержимое /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
10 isp1
20 isp2
содержимое скрипта /etc/network/iptables.sh (запускается из /etc/rc.local)
#!/bin/bash
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_conntrack_sip
modprobe ip_nat_sip
echo "1" > /proc/sys/net/ipv4/ip_forward
#########
# VARIABLES #
########
WAN_ADDR1=10.203.142.31
WAN_ADDR2=x.x.x.2
WAN_NET1=10.203.140.0/22
WAN_NET2=x.x.x.0/27
WAN_GW1=10.203.140.1
WAN_GW2=x.x.x.1
WAN_DEV1=p1p1
WAN_DEV2=p1p2
LAN_DEV1=p2p1
LAN_GATE=192.168.1.1
LAN_SUBNET1=192.168.1.0/24
BCKP=192.168.1.7
PASHA=192.168.1.241
DIMA=192.168.1.242
VID=192.168.1.254
SRV1C=192.168.1.10
###########
#iproute tables
#isp1
t1=10
#isp2
t2=20
###########
###########
# RESET RULES #
##########
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# reset the default policies in the nat table.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
# reset the default policies in the mangle table.
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# flush all the rules in the filter and nat tables.
iptables -F
iptables -t nat -F
iptables -t mangle -F
# erase all chains that's not default in filter and nat table.
iptables -X
iptables -t nat -X
iptables -t mangle -X
###########
#ROUTING RULES#
###########
#flushing mangle
echo 1
iptables -t mangle -F NEW_OUT_CONN
iptables -t mangle -F PREROUTING
iptables -t mangle -F OUTPUT
iptables -t mangle -X NEW_OUT_CONN
ip route flush table ${t1}
ip route del table ${t1}
ip route flush table ${t2}
ip route del table ${t2}
ip route flush cache
echo 2
#end flushing
#Prepare new chain for marking outgoing traffic
iptables -t mangle -N NEW_OUT_CONN
iptables -t mangle -A NEW_OUT_CONN -s ${VID} -j CONNMARK --set-mark=1
iptables -t mangle -A NEW_OUT_CONN -s ${DIMA} -j CONNMARK --set-mark=1
iptables -t mangle -A NEW_OUT_CONN -s ${LAN_SUBNET1} -j CONNMARK --set-mark=2
########
#making routing rules#
########
iptables -t mangle -A PREROUTING -d ${LAN_SUBNET1} -j RETURN
iptables -t mangle -A PREROUTING -s ${LAN_SUBNET1} -m state --state new,related -j NEW_OUT_CONN
iptables -t mangle -A PREROUTING -s ${LAN_SUBNET1} -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT -d ${LAN_SUBNET1} -j RETURN
iptables -t mangle -A OUTPUT -s ${LAN_SUBNET1} -m state --state new,related -j NEW_OUT_CONN
iptables -t mangle -A OUTPUT -s ${LAN_SUBNET1} -j CONNMARK --restore-mark
ip route add ${LAN_SUBNET1} dev ${LAN_DEV1} scope link table ${t1}
ip route add ${WAN_NET2} dev ${WAN_DEV2} scope link table ${t1}
ip route add ${WAN_NET1} dev ${WAN_DEV1} src ${WAN_ADDR1} table ${t1}
ip route add 127.0.0.0/8 dev lo scope link table ${t1}
ip route add default via ${WAN_GW1} dev ${WAN_DEV1} table ${t1}
ip rule add fwmark 10 table ${t1}
ip rule add from ${WAN_ADDR1} table ${t1}
ip route add ${LAN_SUBNET1} dev ${LAN_DEV1} scope link table ${t2}
ip route add ${WAN_NET1} dev ${WAN_DEV1} scope link table ${t2}
ip route add ${WAN_NET2} dev ${WAN_DEV2} src ${WAN_ADDR2} table ${t2}
ip route add 127.0.0.0/8 dev lo scope link table ${t2}
ip route add default via ${WAN_GW2} dev ${WAN_DEV2} table ${t2}
ip rule add fwmark 20 table ${t2}
ip rule add from ${WAN_ADDR2} table ${t2}
ip route flush cache
###########
###########
#NAT outside
###########
iptables -t nat -A POSTROUTING -o ${WAN_DEV1} -j SNAT --to-source ${WAN_ADDR1}
iptables -t nat -A POSTROUTING -o ${WAN_DEV2} -j SNAT --to-source ${WAN_ADDR2}
###########
# LOCAL RULES #
###########
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
#ssh
iptables -A INPUT -p tcp --dport 8222 -j ACCEPT
#allow traffic from LAN to this machine
iptables -A INPUT -i ${LAN_DEV1} -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p icmp -s ${LAN_SUBNET1} -j ACCEPT
#DNAT Pasha comp
iptables -t nat -A PREROUTING -i ${WAN_DEV1} -p tcp -m tcp -d ${WAN_ADDR1} --dport 23389 -j DNAT --to-destination ${PASHA}:3389
iptables -t nat -A PREROUTING -i ${WAN_DEV1} -p udp -m udp -d ${WAN_ADDR1} --dport 23389 -j DNAT --to-destination ${PASHA}:3389
#DNAT for vid
iptables -t nat -I PREROUTING -i ${WAN_DEV1} -d ${WAN_ADDR1} -p tcp --dport 8080 -j DNAT --to-destination ${VID}
#dnat for 1C
iptables -t nat -I PREROUTING -i ${WAN_DEV2} -d ${WAN_ADDR2} -p tcp --dport 13389 -j DNAT --to-destination ${SRV1C}:3389
iptables -L -v -n
Содержимое /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto p2p1
iface p2p1 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
auto p1p1
iface p1p1 inet static
address 10.203.142.31
netmask 255.255.252.0
gateway 10.203.140.1
dns-nameservers 127.0.0.1 8.8.8.8 8.8.4.4
dns-search hrtd.local
auto p1p2
iface p1p2 inet static
address x.x.x.2
netmask 255.255.255.224
gateway x.x.x.1
не работает