Hi all, i got the following configuration: * NET1: DSL Line with /28 network, let's call it 10.1.0.0/28 * NET2: DSL Line with /28 network, let's call it 10.2.0.0/28 * INTNET: Internal Network with productive servers and workstations, 192.168.1.0/24 Obvisiously the 10er networks are official networks but censored to protect my customer. The routerbox assigns on eth0 all IP-addresses from NET1, same for eth1 and NET2. The internal net is on eth2. I've set up split-access routing like in the documentation, part "4.2.1. Split access". Every productive server get's his own routingtable and it's own SNAT/DNAT rule. Example is given for one server. # Server 1, external 10.1.0.3, internal 192.168.1.2, table server1, # default-gateway is 10.1.0.1 (DSL router) ip route add $NET1 dev eth0 src 10.1.0.1 table server1 ip route add $INTNET dev eth2 table server1 ip route add default via 10.1.0.1 table server1 ip rule add from 192.168.1.2 table server1 # Now NAT iptables -t nat -A PREROUTING -d 10.1.0.3 -j DNAT --to 192.168.1.2 iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --from 10.1.0.3 I do this for all server on alternating IP-adresses and lines. Eventually at the very end of the POSTROUTING-chain i got a catch-all SNAT for all workstations in INTNET to get SNATed access to the internet (only routed via one line): iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --from 10.1.0.1 (where 10.1.0.1 is a designated IP address only used for the workstations - the server all got their own IP-address. Works so far. Now my problem: If a workstation from the internal network, let's say, wants to connect to the offical IP-address of one of the servers, it doesn't work. Let's say 192.168.1.212 wants to connect to 10.1.0.3. It goes through it's default gateway 192.168.1.1, which is the only IP address assigned on eth2, the internal interface. It hits the PREROUTING chain and gets DNATed to 192.168.1.2. It hits routing code and is matched against "$INTNET dev eth2" in table server1. It hits POSTROUTING and gets SNATed with 10.1.0.1, the external, designated IP-address fo the router for the clients. It should be pushed out on the internal interface. The server receives the packet, processes it and sends back the answer to the router. The packet hits PREROUTING (from 192.168.1.2 to 10.1.0.1, no rule matches), hits routing-code and there is the problem i think. Destined for local interface, don't route. BANG. Is my observation at that point right? If yes, does somebody know how to achieve my goal, that internal IPs can connect to the external IPs? The term "CONNMARK" somehow popped up in my mind, but i haven't seen any useful examples yet how to use it properly. I hope i provided all necessary information; i know that "ip rule show" is missing to check the precedences of rules, but i don't have access to the system right now. Any hint is appreciated, thanks, Alex. _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
