ultri.cx

http://www.ultri.cx/ , my personal web site hosted at our apartment, has been down for a while. In fact it has been down since I stuck another network card into the web server.

Both the router and the web server are connected to the internal and external networks. The router provides a NAT to an internal address on the web server, so access to the web server is via the router. The web server serves DNS directly on the external interface via another IP address.

The problem is that the NetGear RP614 router only properly does reverse NAT on the interface it sent the NATted packets out. Access to the web server would go through the router (SNAT to the routers external IP + DNAT to the web servers internal IP) and exit its internal interface. The web server would respond via its external interface (due to the SNAT) and the router would only reverse the DNAT, resulting in Syn-Ack packets with internal source addresses.

So the web server had to send packets with an external destination address out the internal interface if the source address was in 192.168.0.0/24. Normally, the interface is determined from the destination address, rather than the source address. Luckily, the Linux kernel has pretty flexible routing rules.

Here are the commands I used to route packets from internal source addresses via the internal interface, and those with external source addresses via the external interface:

# Funky routing based on source address rather than destination address
INTDEV=eth0
INTGW=192.168.0.1
INTRANGE=192.168.0.0/24

EXTDEV=eth1
ISPGW=69.12.241.254
EXTRANGE=69.12.241.0/24

/sbin/ip rule add from $INTRANGE table 250
/sbin/ip route add table 250 to $INTRANGE dev $INTDEV
/sbin/ip route add table 250 to 0.0.0.0/0 via $INTGW dev $INTDEV

/sbin/ip rule add from $EXTRANGE table 251
/sbin/ip route add table 251 to $EXTRANGE dev $EXTDEV
/sbin/ip route add table 251 to 0.0.0.0/0 via $ISPGW dev $EXTDEV

So now http://www.ultri.cx is available again.