[LARTC] multiple uplinks/iptables -t nat -PREROUTING funny

[Russell Senior <seniorr@xxxxxxxxxxx>]

I have a network much like that show in:

  <http://www.lartc.org/howto/lartc.rpdb.multiple-links.html>

with a few wrinkles.  This is with a ptrace patched 2.4.20 kernel.

The wrinkles are that one interface has 14 IPs (.2 to .15) total (via
eth1 and aliasing), the other being a single DHCP-provided IP (eth0).

I have a iptables rule:

  /sbin/iptables -t nat -A PREROUTING -i eth1 -d eee.fff.ggg.11 -p tcp --dport 22 -j DNAT --to 192.168.0.2:22

That's all there is (currently) in the PREROUTING iptable.
POSTROUTING has:

  /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

When I connect from the outside to eee.fff.ggg.11:22, I never hear a
reply.  Ethereal (on the internal interface, eth2) shows replies, but
looking on the other external interface (eth0) it appears that the
replies are all shooting out of it (the default path).  Nothing ever
returns out the eth1 interface as it "should".  I have the ip rules
set up as follows:

   # ip rule show
   0:      from all lookup local 
   32757:  from aaa.bbb.ccc.ddd lookup T1
   32758:  from eee.fff.ggg.2/31 lookup T2  # note the 3 rules are to cover
   32759:  from eee.fff.ggg.4/30 lookup T2  # the .2 to .15 IP space
   32760:  from eee.fff.ggg.8/29 lookup T2 
   32766:  from all lookup main 
   32767:  from all lookup default 

   # ip route show table T1
   192.168.0.0/24 dev eth2  scope link 
   default via aaa.bbb.ccc.1 dev eth0 

   # ip route show table T2
   eee.fff.ggg.1 dev eth1  scope link 
   eee.fff.ggg.0/28 dev lo  scope link 
   192.168.0.0/24 dev eth2  scope link 
   default via eee.fff.ggg.1 dev eth1 

   x# ip route    # (default rule)
   eee.fff.ggg.1 dev eth1  scope link 
   eee.fff.ggg.0/28 dev lo  scope link 
   192.168.0.0/24 dev eth2  proto kernel  scope link  src 192.168.0.1 
   eee.fff.ggg.0/24 dev eth1  proto kernel  scope link  src eee.fff.ggg.10 
   aaa.bbb.ccc.0/23 dev eth0  proto kernel  scope link  src aaa.bbb.ccc.ddd
   default via aaa.bbb.ccc.1 dev eth0 

When I connect to the port forwarded address from the outside, it
looks like the returning packets are getting routed _before_ the
source IP is translated (and thus aren't matching a special rule and
thus get routed according to the default rule).  Everything else seems
to be working fine. 

Has anyone seen this?  Is it a bug or am I just confused?


-- 
Russell Senior         ``I've seen every kind of critter God ever made,
seniorr@xxxxxxxxxxx      and I ain't never seen a meaner, lower, more
                         stinkin' yellow hypocrite than you!'' 
                                        -- Burl Ives as Rufus Hennessy