IpRoute + NAT problem

[karyon@xxxxxxx]

Hi, All


Sorry for English
But I need new ideas for my problem

I have a local network, server with 2 Internet channels
Local computers connect to server via VPN.
Task: some users go to Internet through first Internet channel other
through second.
System Suse 9.2, kernel 2.6.8.
I read iproute documentaion and configured routes. Ping from server
go through 2 channels.
ping -I eth_inet1 www.ya.ru - Reply...
ping -I eth_inet2 www.ya.ru - Reply...

PROBLEM: server must MASQUERADE local users (VPN - clients) connection
and then pass them to Internet. From VPN clients NO connection (no
ping) to Internet (logs below).

MASQUERADE in iptables I replaced with SNAT rule , becouse MASQ with
kernel 2.6, iproute2 и multiple routing tables logs that:
>MASQUERADE kernel: Route sent us somewhere else.
SNAT works.


Simplier task: thereis One Internet interface, but I want to go to
Internet throught iproute rules - thereis no default gateway in table
main. VPN clients and other conditions are present.
 Internet gateway - 192.168.21.254 (the same network with server)


Server info:

ifconfig:
eth0 Link encap: Ethernet inet addr:192.168.21.210 

VPN server listen on this interface.

Connected VPN client interface:

ppp0 Link encap: Point-to-Point Protocol
inet addr:172.23.1.1 P-t-P:172.23.1.3 Mask:255.255.255.255

>> ip rule show
0: from all lookup local
32759: from 172.23.1.3 lookup inet
32765: from 192.168.21.210 lookup inet
32766: from all lookup main
32767: from all lookup default

>> ip route show table local
local 192.168.21.210 dev eth0 proto kernel scope host src 192.168.21.210
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 172.23.1.1 dev ppp0 proto kernel scope host src 172.23.1.1
broadcast 192.168.21.0 dev eth0 proto kernel scope link src 192.168.21.210
broadcast 192.168.21.255 dev eth0 proto kernel scope link src 192.168.21.210
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
192.168.21.0/24 dev eth0 proto kernel scope link src 192.168.21.210
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1

>>ip ro show table main
172.23.1.3 dev ppp0 proto kernel scope link src 172.23.1.1
192.168.21.0/24 dev eth0 proto kernel scope link src 192.168.21.210
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link

>>ip ro show table inet
192.168.21.0/24 dev eth0 proto kernel scope link src 192.168.21.210 
default via 192.168.21.254 dev eth0

>>iptables
filter:
INPUT ACCEPT
OUTPUT ACCEPT
FORWARD 
-A FORWARD -d 213.180.193.123 -j LOG --log-prefix "TO YANDEX "
-A FORWARD -s 213.180.193.123 -j LOG --log-prefix "FROM YANDEX "
-A FORWARD -j ACCEPT

nat:
-A PREROUTING -d ! 192.168.0.0/255.255.0.0 -j LOG --log-prefix "PREROUTING: "
-A PREROUTING -j ACCEPT

-A POSTROUTING -s ! 192.168.0.0/255.255.0.0 -j LOG --log-prefix "POSTROUTING: "
-A POSTROUTING -s 172.23.1.0/255.255.255.0 -d ! 192.168.0.0/255.255.0.0 -j SNAT --to-source 192.168.21.210

>>ping -I 192.168.21.210 www.ya.ru
thereis reply

>> ping www.ya.ru
connect: Network is unreachable 

>From what interface by default ping works? How can I view debug/log
information about it?

>From VPN client
>>ping www.ya.ru
there is NO reply

Iptables logs during ping:

Jan 11 19:35:37 SkyPort kernel: PREROUTING: IN=ppp0 OUT= MAC= SRC=172.23.1.3 DST=213.180.193.123 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=8377 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=1792
Jan 11 19:35:37 SkyPort kernel: TO YANDEX IN=ppp0 OUT=eth0 SRC=172.23.1.3 DST=213.180.193.123 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8377 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=1792
Jan 11 19:35:37 SkyPort kernel: POSTROUTING: IN= OUT=eth0 SRC=172.23.1.3 DST=213.180.193.123 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8377 PROTO=ICMP TYPE=8 CODE=0 ID=1024 SEQ=1792
Jan 11 19:35:38 SkyPort kernel: FROM YANDEX IN=eth0 OUT=ppp0 SRC=213.180.193.123 DST=172.23.1.3 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=56401 PROTO=ICMP TYPE=0 CODE=0 ID=1024 SEQ=1792
And here is no packet outgouing ppp1 to VPN client.


But if additional type next commands:
ip route add 172.23.1.3 dev ppp0 proto kernel scope link src 172.23.1.1 table inet
ip rule add from any lookup inet

then works
ping www.ya.ru from server and from VPN client, but it's the same as
general default gateway.
 
There is my mistake? Why VPN client can't go to Internet&

-- 
Best regards,
 karyon                          mailto:karyon@xxxxxxx
яяяяяяяяяяяяяяяяяяяяяяяяяяяяяяяяяяяЛ
В™ЁҐЉx%ЉЛ,SщљЉYљџчlхЇз–m§яя™ЁҐ™©яvПZюy™ЁҐ™©я–+-ЉwиюV«µБОY3я†Ыiяяеj»\юЉа