Re: One machine, two net feeds, outbound route selection

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 10/25/07, Peter Rabbitson <rabbit+list@xxxxxxxxx> wrote:
> Unfortunately not easy without doing local NAT (from the local interface
> to another local interface).

  I thought that might be the case.  I even started to write a rule
about how the NAT might work... but then I ran into brain pain trying
to figure out how, because I didn't know when the packets get what
address/interface info assigned to them, and I didn't know how SNAT
would interact with the routing tables.  Normally, I do SNAT in the
POSTROUTING chain, but by then the routing rules have already run,
right?  So the packet would still be bound for the wrong interface,
even if the source address is translated.  No?

  In other words, let's say $DEF_ADDR is the IP address of the
interface that is going to be picked by the default routing table, but
I really want the packets to go out the $ALT_ADDR interface.  So I try
this:

iptables -t nat -A POSTROUTING -s $DEF_ADDR -p tcp --dport smtp -j
SNAT --to $ALT_ADDR

  But the whole point of changing the source address/interface is to
influence which routing rules match, and those have already been
applied by the time the packet transverses the POSTROUTING chain,
right?  In any event, that didn't work.

  So then I thought, well, maybe I can do SNAT in the PREROUTING chain
for this?  But in that case, the kernel won't have assigned it an
address yet, right?  So there's nothing to SNAT.  And I can't do "-s
0/0" because that actually means "match all packets", right?

  So then I thought, well, maybe I can mark the packet in the OUTPUT
chain of the mangle table, and match that in the routing rules, and
*also* match that in the POSTROUTING chain:

iptables -t mangle -A OUTPUT -s $DEF_ADDR -p tcp --dport smtp -j MARK
--set-mark 42
ip rule add fwmark 42 table 42
iptables -t nat -A POSTROUTING -m mark --mark 42 -j SNAT --to-source $ALT_ADDR

  I think I tried that and it didn't work either.  It was getting late
and my maintenance window was closing and my brain hurt.

  If this is just one of those "you can't do that" situations, I'm
willing to accept that answer.  But if there is a way, I'd like to
know what it is.  :)

-- Ben
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux