Bill Fink wrote:
Marco,
On Fri, 23 Dec 2005, Marco Berizzi wrote:
> Bill Fink wrote:
>
> >This actually worked. Packets were then forwarded out to the
> >HDSL public network, and the HDSL public network host then generated
> >an ICMP echo reply back to the ADSL IP, which I saw via tcpdump on
> >the Linux host on eth1.
> >
> >Unfortunately this was as good as it got. I believe this is because
> >the original POSTROUTING SNAT'ed packet went out eth0, and the reply
> >is coming back on eth1, and the two can't be reconciled to get the
> >reply to be sent back out eth2 to the original source host.
> >
> >However, if you happen to have an unused ADSL public network IP
address,
> >you can get this to work (I did), and then you wouldn't even need the
> >patch above. Just SNAT the private IP address to this IP address
> >(call it ADSL NAT IP) instead of the ADSL IP of your Linux box.
> >You will also have to publish an ARP for the ADSL NAT IP on your
> >Linux box, mangle destinations for the ADSL NAT IP to be marked as 2,
> >causing your test routing table to be used, add a host route to your
> >test routing table for the ADSL NAT IP via your HDSL router IP, and
> >ACCEPT packets to or from the ADSL NAT IP in your FORWARD chain.
>
> It is working now: I'm getting echo reply packets ;-)
Great! I'm glad it's working for you now.
> However I have had to add another route to the test routing table
> (beyond to your suggested):
>
> 172.16.1.25 via 172.16.1.1 dev eth2
>
> (172.16.1.1 is the linux private internat ip address)
I'm not clear why this should be necessary, but if it's working that's
the main thing.
What is the 172.16.1.25 IP address?
Ahh... 172.16.1.15 system has been shutdown for a fan failure, so I switched
to the 172.16.1.25 system for the testing purpose.
> because linux was putting the echo reply packets with dest ip
172.16.1.25
> out of eth0 instead of eth2. I think this is happening because I was
> mangling
> packets with dest 'ADSL NAT IP' as you correctly suggested, in the
following
> manner:
>
> iptables -I PREROUTING -d 'ADSL NAT IP' -j mark --set-mark 2
Still not clear how that would route packets for 172.16.1.25 out eth0.
[I believe that if I would have written the above rule with the -i eth1 the
'172.16.1.25 via 172.16.1.1 dev eth2' route would not have been necessary.]
It is also not clear for me why linux is putting the "unSNATed" echo reply
out eth0
but I think it is marking the echo reply packet coming in from eth0 with
mark 2,
so the packet is routed through the test routing table.
Likewise wishing you a fabulous Christmas and wonderful New Year!!!
PS: I didn't wish happy new year because I'm sure I will get in touch soon
;-)
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
