----- Original Message -----
From: <lartc@manchotnetworks.net>
Sent: Saturday, August 30, 2003 1:54 AM
>
> the netfilter team feels that the issue falls outside the scopr of
> iptables, so i thought i might ask your advice:
>
They are right this is linux networking issue.
>
> we would like that all applications and protocols (tcp/udp/icmp/arp)
> associated userid 500 are routed to isp_b using the alias ip address
>
> (A)
> iptables --append OUTPUT --table mangle --match owner \
> --uid-owner 500 --jump MARK --set-mark 0x2
> ip route add default dev eth3 src 149.174.32.7 table 2
> ip route flush cache
have you checked with following
# ip rule add fwmark 2 table alternative
>
> (A) doesn't work because iptables won't pickup the source address; it
> can only be changed using --snat
>
>
> (B)
> iptables --append OUTPUT --table mangle --match owner \
> --uid-owner 500 --jump MARK --set-mark 0x2
>
> iptables --append POSTROUTING --table nat --match mark \
> --mark 0x2 --jump SNAT --to-source 192.168.1.100
> ip route flush cache
>
> (B) is an approach to mark the locally generated packets and then snat
> them later in the postrouting chain. this works only for tcp/udp and not
> for icmp/arp.
>
> (C)
> ip route delete 192.168.1.0/24 dev eth1
> ip route add 192.168.1.0/24 dev eth1 src 192.168.1.100
> ip route flush cache
>
> (C) uses ip src address 192.168.1.100 for all tcp/udp/icmp/arp
> communication. OUTPUT ROUTING used the src address
> specified in the ip route statement.
>
(B) and (C) are very ugly hacks
-- Sumit
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
