Florian Pressler
02-18-2005, 06:45 PM
Hi!
I try to setup policy-based routing under linux with iptables and ip
route. I have two internet-connections with one public ip each, and i
have a local network which is to be natted on those two ips (which one
of those should depend on the portnumber).
I have created two routing-tables with one default-route each. I have
configured iptables so that packets with some port-numbers are marked.
Those packets marked should receive the second routing-table.
It all works wonderful, with one exception: The packets *which are
marked* are not translated *back* by iptables' nat. I checked it with
tcpdump: The packets are routed correctly. They are separated by
port-numbers and sent out on both external interfaces. They also are
natted correctly to the different ips. They come back as they should,
but only the packets which arrive at the "main" entry (they had not been
marked) are translated back and sent to the internal interface.
The point is that there doesn't seem to be an error in the
nat-configuration. Because when I swap the rules (which define which
routing-table is to be looked up), it (not) works exactly the other way
round. I do not touch the nat-rules themselves in this process.
Can anybody give me a hint what the problem could be? Probably I should
have a look at the state-machine of the different NATs (how?), what
would you say?
regards,
Florian
PS: a little config-snippet:
# packets are classified with
iptables -t mangle -A PREROUTING -m multiport -p tcp --dport 80,22 -j
MARK --set-mark 2
hostname:/home/airflow# ip rule show
0: from all lookup local
10: from all lookup main
15: from all fwmark 2 lookup aon
20: from all lookup default
hostname:/home/airflow# ip route list table default
default via 84.113.191.1 dev eth0
hostname:/home/airflow# ip route list table aon
default dev ppp0 scope link
# nat-configuration
iptables -t nat -A POSTROUTING -o eth0 -s 172.21.31.0/24 -j SNAT --to
x.y.z.a
iptables -t nat -A POSTROUTING -o ppp0 -s 172.21.31.0/24 -j MASQUERADE
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- hetzendorf.local/24 anywhere to:x.y.z.a
MASQUERADE all -- hetzendorf.local/24 anywhere
--
Homepage: http://fp.ath.cx/ PGP-keyID: C9FEDBA2
I try to setup policy-based routing under linux with iptables and ip
route. I have two internet-connections with one public ip each, and i
have a local network which is to be natted on those two ips (which one
of those should depend on the portnumber).
I have created two routing-tables with one default-route each. I have
configured iptables so that packets with some port-numbers are marked.
Those packets marked should receive the second routing-table.
It all works wonderful, with one exception: The packets *which are
marked* are not translated *back* by iptables' nat. I checked it with
tcpdump: The packets are routed correctly. They are separated by
port-numbers and sent out on both external interfaces. They also are
natted correctly to the different ips. They come back as they should,
but only the packets which arrive at the "main" entry (they had not been
marked) are translated back and sent to the internal interface.
The point is that there doesn't seem to be an error in the
nat-configuration. Because when I swap the rules (which define which
routing-table is to be looked up), it (not) works exactly the other way
round. I do not touch the nat-rules themselves in this process.
Can anybody give me a hint what the problem could be? Probably I should
have a look at the state-machine of the different NATs (how?), what
would you say?
regards,
Florian
PS: a little config-snippet:
# packets are classified with
iptables -t mangle -A PREROUTING -m multiport -p tcp --dport 80,22 -j
MARK --set-mark 2
hostname:/home/airflow# ip rule show
0: from all lookup local
10: from all lookup main
15: from all fwmark 2 lookup aon
20: from all lookup default
hostname:/home/airflow# ip route list table default
default via 84.113.191.1 dev eth0
hostname:/home/airflow# ip route list table aon
default dev ppp0 scope link
# nat-configuration
iptables -t nat -A POSTROUTING -o eth0 -s 172.21.31.0/24 -j SNAT --to
x.y.z.a
iptables -t nat -A POSTROUTING -o ppp0 -s 172.21.31.0/24 -j MASQUERADE
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- hetzendorf.local/24 anywhere to:x.y.z.a
MASQUERADE all -- hetzendorf.local/24 anywhere
--
Homepage: http://fp.ath.cx/ PGP-keyID: C9FEDBA2