Marco, On Fri, 23 Dec 2005, Marco Berizzi wrote: > Bill Fink wrote: > > >This actually worked. Packets were then forwarded out to the > >HDSL public network, and the HDSL public network host then generated > >an ICMP echo reply back to the ADSL IP, which I saw via tcpdump on > >the Linux host on eth1. > > > >Unfortunately this was as good as it got. I believe this is because > >the original POSTROUTING SNAT'ed packet went out eth0, and the reply > >is coming back on eth1, and the two can't be reconciled to get the > >reply to be sent back out eth2 to the original source host. > > > >However, if you happen to have an unused ADSL public network IP address, > >you can get this to work (I did), and then you wouldn't even need the > >patch above. Just SNAT the private IP address to this IP address > >(call it ADSL NAT IP) instead of the ADSL IP of your Linux box. > >You will also have to publish an ARP for the ADSL NAT IP on your > >Linux box, mangle destinations for the ADSL NAT IP to be marked as 2, > >causing your test routing table to be used, add a host route to your > >test routing table for the ADSL NAT IP via your HDSL router IP, and > >ACCEPT packets to or from the ADSL NAT IP in your FORWARD chain. > > It is working now: I'm getting echo reply packets ;-) Great! I'm glad it's working for you now. > However I have had to add another route to the test routing table > (beyond to your suggested): > > 172.16.1.25 via 172.16.1.1 dev eth2 > > (172.16.1.1 is the linux private internat ip address) I'm not clear why this should be necessary, but if it's working that's the main thing. What is the 172.16.1.25 IP address? > because linux was putting the echo reply packets with dest ip 172.16.1.25 > out of eth0 instead of eth2. I think this is happening because I was > mangling > packets with dest 'ADSL NAT IP' as you correctly suggested, in the following > manner: > > iptables -I PREROUTING -d 'ADSL NAT IP' -j mark --set-mark 2 Still not clear how that would route packets for 172.16.1.25 out eth0. > >This will cause a symmetric path for the ICMP echos and replies > >between your private host and your HDSL public network host, both > >looped via the Internet and your two ISPs. At least it worked for > >me in our lab. > > > >I hope this helps. > > Thanks for the interest. Have a nice weekend and Christmas 2005. Likewise wishing you a fabulous Christmas and wonderful New Year!!! -Bill - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
