simple dual Internet connection setup not sending return packets on correct interface

["Brian J. Murrell" <brian@xxxxxxxxxxxxxxx>]

I have a very simple setup exactly as described in the HOWTO section "
4.2. Routing for multiple uplinks/providers".

One is cable (eth1: dhcp) and the other is PPPoE (ppp0).

I used the following commands to configure the routing once all of my
interfaces are up and i have configured SNATing for them:

ip route add 66.11.173.0/24 dev ppp0 src 66.11.173.224 table 11
ip route add default via 66.11.190.1 table 11
ip route add 24.235.240.0/22 dev eth1 src 24.235.240.15 table 12
ip route add default via 24.235.240.1 table 12
ip route add 66.11.173.0/24 dev ppp0 src 66.11.173.224
ip route add 24.235.240.0/22 dev eth1 src 24.235.240.15
ip rule add from 66.11.173.224 table 11
ip rule add from 24.235.240.15 table 12

My iptables "nat" setup looks like this:

Chain POSTROUTING (policy ACCEPT 364 packets, 26735 bytes)
 pkts bytes target     prot opt in     out     source               destination
  258 19801 eth1_masq  all  --  *      eth1    0.0.0.0/0            0.0.0.0/0
    0     0 ppp0_masq  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0

Chain eth1_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
  252 19021 SNAT       all  --  *      *       10.75.22.0/24        0.0.0.0/0        to:24.235.240.15
    0     0 SNAT       all  --  *      *       192.168.66.0/24      0.0.0.0/0        to:24.235.240.15

Chain ppp0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 SNAT       all  --  *      *       10.75.22.0/24        0.0.0.0/0        to:66.11.173.224
    0     0 SNAT       all  --  *      *       192.168.66.0/24      0.0.0.0/0        to:66.11.173.224

When an IP packet enters my machine via interface ppp0 everything is
fine.  However when a responding packet (i.e. a SYN-ACK in response to a
SYN) is sent from my machine, it is sent with the correct source address
(66.11.173.224) but on the eth1 interface.  It is worth noting at this
point that eth1 is the default gateway interface.

Is this a problem in that iproute2 selects the default route before
SNATting is done to change the source address of the packet, which does
not happen of course until POSTROUTING?  Surely I am not the first
person who has this need.  How does one solve it?

Current routing tables:

# ip route list
66.11.190.1 dev ppp0  proto kernel  scope link  src 66.11.173.224
66.11.173.0/24 dev ppp0  scope link  src 66.11.173.224
10.75.22.0/24 dev eth0  proto kernel  scope link  src 10.75.22.254
24.235.240.0/22 dev eth1  proto kernel  scope link  src 24.235.240.15
default via 24.235.240.1 dev eth1

# ip route list table 11
66.11.173.0/24 dev ppp0  scope link  src 66.11.173.224
default via 66.11.190.1 dev ppp0

# ip route list table 12
24.235.240.0/22 dev eth1  scope link  src 24.235.240.15
default via 24.235.240.1 dev eth1

and current ip rules:
# ip rule list
0:      from all lookup local
32764:  from 24.235.240.15 lookup 12
32765:  from 66.11.173.224 lookup 11
32766:  from all lookup main
32767:  from all lookup default

Any ideas what I am doing wrong?

b.

Attachment: signature.asc
Description: This is a digitally signed message part