Stewart, : firstly, thanks for the reply. : secondly, on reading it myself, yeap - i need to clarify :) No problem, and thanks for the clarifications..... : INTERNAL NETWORK INTERNET : 202.44.184.130 : MY PC---------------DELTA----------------- : 192.168.0.18 |192.168.0.1 : | : | : | : | 202.44.184.129 : 192.168.0.2|-------OMEGA----------------- : | : |10.0.0.2 : | : |-----------ADSL ROUTER-- : 10.0.0.138 : Very clear diagram. Thank you..... : OMEGA has 3 NICs : eth0 = 202.44.184.129 : eth1 = 192.168.0.2 : eth2 = 10.0.0.2 : I'll ignore Delta as everything is working there okay atm. Fair enough....I presume, then, that you have the policy routing stuff working properly on delta and omega, then, and you simply have a question about omega's masquerading (hence your subject about masquerading not working with iproute2). I think it's probably an iptables solution. : I want to make sure that all connections coming into our servers (hosted : on 202.44.194.129) get serviced by that IP (that is, we send our : response via eth0 and not eth2). The million-dollar (four-part) question: What servers hosted on 202.44.194.129? Are these really internal servers accessed via DNAT? Are these servers in 192.168.0.0/24? Do these servers also wish to make use of ADSL router Internet? If so, then you want to read the following: http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound http://lists.netfilter.org/pipermail/netfilter/2001-May/011697.html Short answer? The easiest solution (if you are using DNAT on OMEGA to get the packets to the internal server) is to dedicate an IP to be the internal IP hosted on the server for the connection: Internet <--> 202.44.194.129 <--OMEGA-DNAT--> 192.168.0.150 # -- two IPs Internet <--> 10.0.0.2 <--OMEGA-SNAT--> 192.168.0.149 # one box Clear as mud? If no packet from the internal server EVER needs to make it to the net via ADSL router ('cause it's all proxied, then the SNAT below should solve your problem). : >So, you want to make sure that any connections initiated from the : >Internet are always returned to the Internet via eth0, correct? : : yes, that's what we need (for things like apache to work). Refer to the above two links..... : I want to be able to use Masquerading on Omega. Normally a Masquerading : setup allows the internal net to access any machine out on the internet : (i use this setup at home). But, I only want to allow people on the : internal network to access one IP on the internet directly (via NAT) : : that is : (as gateway using NAT) : 192.168.0.18----->OMEGA-------->machine on the outside world : : not : (as proxy) : 192.168.0.18----->OMEGA-------->machine on outside world : : what happens currently (with the scripts attached) is that a packet : comes from 192.168.0.18, goes through OMEGA and comes out on the eth2 : interface (which it should, as this is the default for new connections : out) with the source address being 192.168.0.18. : : what *should* happen is that a packet should go out from 192.168.0.18, : go through OMEGA (which should use NAT to change the source address to : 10.0.0.2) and then it should go out on the wire (to be handled by the : ADSL router). Try this (I just picked an IP out of midair): SINGLE_IP=12.8.192.113 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d $SINGLE_IP \ -j SNAT --to-source 10.0.0.2 # # -- or you can use "-j MASQUERADE" # # iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d $SINGLE_IP \ # -j MASQUERADE # iptables -t filter -A FORWARD -s 192.168.0.0/24 -d $SINGLE_IP \ -j ACCEPT If I were to guess, I'd guess that the RELATED,ESTABLISHED rule should catch the related and established connections. ;-) : The policy routing has been running for a while pretty flawlessly. The : only problem I have is that machines on the internal network can't : access (e.g. ping) the external addresses of OMEGA. If that policy routing stuff you snipped was from DELTA, then you might still wish to consider my changes to the P1_NET and P2_NET variables. Your call--you can always try it and fall back to your existing and working configuration if I'm steering you wrong. So: 1) if you want to have the same internal host reaching the Internet, over two connections (especially if one is inbound) dedicate an IP to the DNAT service--it's cheap and far less error prone. 2) Try the iptables SNAT or MASQUERADE. Don't forget the filter table rule in the FORWARD chain. 3) Consider correcting the network routes in your policy routing. Good luck and so long for now, -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
