This doesn't seem right: > My firewall configuration: > iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK > --set-mark 2 > iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.1.1.128 > iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 2.2.2.128 I'm not the expert, but I don't think you want to SNAT. You're marking inbound packets with destination port 80 and then putting rules in the POSTROUTING table to fudge in a different IP address for outbound packets. That doesn't seem right. It doesn't redirect inbound packets the way you want. I think you want to DNAT instead of SNAT and forget about marking packets. Set up some PREROUTING rules and DNAT all incoming port 80 stuff over to the interface you want. That should be all you need to do because the connection tracking should take care of getting the reply packets from your internal web server back to where they belong. Verify this with the experts before you do it, but I think I'm right on this one. - Greg Scott -----Original Message----- From: Miron [mailto:miron@xxxxxxxx] Sent: Thursday, December 06, 2001 3:58 AM To: lartc@xxxxxxxxxxxxxxx Subject: [LARTC] Masq/route based on port I have following setup: - eth0 is an internal network - eth1 is an Internet connection (IP = 1.1.1.128, GW=1.1.1.1) - eth2 is another Internet connection (IP = 2.2.2.128, GW=2.2.2.1) I would like to masquerade port 80 through eth2, but all other traffic should be masq'ed through eth1. My routing configuration: (default route in main table is 1.1.1.1) ip rule add fwmark 2 pref 1002 table 666 ip route flush table 666 ip route add default via 2.2.2.1 dev eth3 proto static table 666 ip route flush cache My firewall configuration: iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK --set-mark 2 iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.1.1.128 iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 2.2.2.128 Unfortunately, this does not work. Outgoing packets are fine. Incoming packets on port 80 are not de-masqueraded and do not reach the internal hosts. Also, if I change the ip rule above to be based on the source address (instead of a mark), connections start working fine. Here is the output of 'ip rule ls', to prove that I do have fwmark compiled: 0: from all lookup local 1002: from all fwmark 2 lookup http 32766: from all lookup main 32767: from all lookup 253 I am wondering if there is some kind of bug related to the interaction between fwmark and NAT. Any ideas? Thanks, Miron Cuperman _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/
