Lunarhotel.co.uk

Lets tackle what happens when we want to port forward to another pc that is hosting our service (lets say a mail server). Now there probaby a couple of other ways of achieving this, this solution isnt particularly elegant, but it works.

The basis for this working is that each server you have hosting a service, has two ip address (its multihomed), so for exmaple our mail server has two ip addresses on the network, that being 192.168.1.10 and 192.168.1.11. Essentailly we work it by saying, if a mail request comes in on internet connection A, route it to 192.168.1.10. If a request comes in on internet connection B route it to 192.168.1.11. both end up at the same mail server, just via different routes. We achieve this using IPTABLES, and we make sure the response is sent to the correct internet connection using ip rules, So lets set up the rules first:

ip rule add from <serverip> lookup inboundx

or for mail coming in on internet connection A:

ip rule add from 192.168.1.10 lookup inboundA

and for mail coming in on internet connection B:

ip rule add from 192.168.1.11

And now use IPTABLES to forward the request to the correct IP address

# FOR INCOMING ON INTERNET CONNECTION A
$IPTABLES -A INPUT -i eth2 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES - t nat -A PREROUTING -i eth2 -p tcp --dport 25 -j DNAT --to 192.168.1.10:25
$IPTABLES -A FORWARD -i eth2 -p 25 -d 192.168.1.10 --dport 25 -j ACCEPT

# FOR INCOMING ON INTERNET CONNECTION B
$IPTABLES -A INPUT -i eth1 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES - t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 192.168.1.11:25
$IPTABLES -A FORWARD -i eth1 -p 25 -d 192.168.1.11 --dport 25 -j ACCEPT

1. control panel->network connections
2. right click on "local area connection 1" and click properties
3. Click on internet protocol (TCP/IP) and click properties
4. Click on advanced
5. Click on Add - It appears that doing this while having the ip address determined by DHCP is not permitted, so you'd have to give it a static ip in order for it to work.
6. In the above example, we have a mail server, its address is already 192.168.1.10, we add 192.168.1.11.Click on OK
7. Click on OK to the TCP/IP Properties dialogue
8. Click on OK to the local area connection properties dialogue

Try pinging your new address, and check a reply is sent back

Now we test our configuration. Again, Ideally with another (third) internet connection. we can do this by typing (at linux # prompt or Windows cmd prompt)

telnet 1.1.1.1 25

You should get a response like

220 mail.yourdomain.com ESTMP Postfix

(if your using a postfix mail server)

Conclusion

So there it is. Theres quite a bit of information on the internet about this sort of thing (if you look hard enough) Configurations like this are great for mission critical applications, especially email. Consider the situation: the primary internet connection goes down, and thats how email was getting in on the STMP feed. No problem, change your domain MX record to point at the seconday internet connection, and hey presto, your back up and running. Again using the DNS records, theres even a level of load balancing you can do. Brilliant! Like I said, I've merged everything needed to route over two internet connection into a .sh script which you can download in part 3. As ever, any questions or comments use the comment form below.