Hi,
I use netfilter to mark packets based on where they're going :
iptables -t mangle -A OUTPUT -p udp --dport 37 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p udp --dport 161 -j MARK --set-mark 2
I then use iproute2 to use different routing tables based on the fwmark :
ip rule add fwmark 1 lookup 10
ip rule add fwmark 2 lookup 11
routing table 10 sends the packet through ppp0, table 11 sends it through ppp1
I've got this in my /etc/ppp/ip-up script :
if ( $DEVICE == "ppp0" ) then
/usr/local/sbin/ip route add $REMOTEIP dev $DEVICE proto static scope link src $LOCALIP table 10
/usr/local/sbin/ip route add 10.10.90.4 via $REMOTEIP dev $DEVICE proto static table 10
/usr/local/sbin/iptables -t nat -A POSTROUTING -o $DEVICE -j SNAT --to-source $LOCALIP
endif
if ( $DEVICE == "ppp1" ) then
/usr/local/sbin/ip route add $REMOTEIP dev $DEVICE proto static scope link src $LOCALIP table 11
/usr/local/sbin/ip route add 10.10.90.4 via $REMOTEIP dev $DEVICE proto static table 11
/usr/local/sbin/iptables -t nat -A POSTROUTING -o $DEVICE -j SNAT --to-source $LOCALIP
endif
(I tried using "iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE" but that didnt work)
What happens is the packets are successfully routed, but the SNAT is unsuccessful.
With tcpdump locally I see outbound packets using the correct source address,
but with tcpdump on the remote machine I see the source address is that of another
interface (which looks like it was assigned before the fwmark rule was used).
What's really strange is that I do _see_ reply packets with tcpdump locally,
but the reply packets have the wrong destination address, and they never
reach the local socket which is listening for them.
I'm running linux 2.4.4 and using iptables 1.2.2.
Any suggestions would be greatly appreciated.
Thanks,
-Truxton
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
