Hehe, maybe it is this: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE On Thu, 22 Jul 2004 16:16:21 -0700, Jens <jens@xxxxxxxxxxxxx> wrote: > On Thursday 22 July 2004 14:17, George Alexandru Dragoi wrote: > > A good think would be to give a full description to your network > > setup, interfaces and so on, maybe there should be stuff like -s > > 192... -d ! 192../24 > > Ok .... > I have two lines to the internet, each on their own interface on a debian > based firewall box. Eth0 goes to my cable provider and is set up dynamically, > eth1 goes to my adsl provider on a static ip 64.114.148.101. > Also in the firewall box are two additional interface cards - one for a DMZ > (eth3, 192.168.1.1) and one for all the regular users (eth2, 192.168.0.1). > The DMZ loop only has a single machine on it with ip 192.168.1.2. > The firewall is implemented via shorewall which sets up the various rules for > ipchains. > The DMZ box has a postfix mail server on it. All local users send to the > server and it then relays out the mail via the firewall box to the outside > world. > Is this sufficient information or do you require additional info ? > > I've been messing around doing some more tests which have me more confused. As > mentioned earlier, I mark all packets going to port 25 from the server box > with a '1'. I then set up a rule that is inserted right before the 'main' > rule to use table adsl whenever a fwmark of '1' is found. Table adsl just has > a default gateway via eth1 in it. The 'main' table has a default gw via eth0. > Leaving everything the same and just playing with the test for fwmark '1', if > I telnet from the server box to a local ISP port 25 I get either a connection > (no fwmark branch) or nothing (fwmark branch). If I switch the default gw in > the 'main' table to point to my adsl provider and telnet from the server box > to the ISP I can connect fine. This seems to indicate that the potential link > generated with the adsl table 'should' work fine but of course it doesn't. > Further, playing with the routing cache, it would appear that the fwmark test > is actually performing as should and the port 25 connection is in fact routed > via the adsl line (while having the cable line as default in the 'main' > table). I am now wondering if there is some protocol happening that isn't > allowed to proceed correctly ..... when I try to establish a telnet > connection on port 25 to the local ISP from the server box, is there anything > happening on any other port that has to be re-routed ? Could it be that some > other part of the protocol goes thru a different port, doesn't get the fwmark > and actually decides to go out the main default gateway (the cable > connection) ? My mail DNS entry points to the cable connection BTW .... > > .... my brain hurts .... > > > > Jens > _______________________________________________ > LARTC mailing list / LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ > _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
