Thanks for the reply Peter, That's the sortta setup I was playing with yesterday. Kindda kludgey but it would work. What would be nice is if connection tracking would log the source interface of the last packet. That way in the PREROUTING table I could check that and change the mark on the packet so that it would pick a different routing table. Perhaps I should look at implementing that on my setup to see how it works... The only other way I thought of doing it was using TOS bits inside the network (say give an 8 to anything coming over the WAN and a 16 to anything coming over the WLAN), but I can't find a way to make my sun boxes set the same TOS for related pakets... If anyone else has ideas, comments, etc... on this I'm always up to listen. -Evan On Mon, 2003-01-20 at 02:50, Peter Johnson wrote: > Ok, gotcha now... > > Still do > ip rule add from $WAN_IP table $WAN_TABLE > ip rule add from $WLAN_IP table $WLAN_TABLE > and > ip route add default via $WAN_PEER_IP dev $WAN_IF table $WAN_TABLE > ip route add default via $WLAN_PEER_IP dev $WAN_IF table $WLAN_TABLE > > Add iptables rules approximately as follows: > > $IPTABLES -t nat -A PREROUTING -i $WAN_IF -j DNAT $DMZ_IP_0-16 > $IPTABLES -t nat -A PREROUTING -i $WLAN_IF -j DNAT $DMZ_IP_17-32 > > $IPTABLES -t nat -A POSTROUTING -o $WAN_IF -j SNAT $WAN_IP > $IPTABLES -t nat -A POSTROUTING -o $WLAN_IF -j SNAT $WLAN_IP > > $IPTABLES -t filter -A FORWARD -i $WAN_IF -o $DMZ_IF -j ACCEPT > $IPTABLES -t filter -A FORWARD -i $WLAN_IF -o $DMZ_IF -j ACCEPT > > That takes care of the initial connection i.e. SYN packets. The IPTables > nat table is only used on the initial packet on each connection. > > For the actual routing, the only thing that I can think of is assigning > two IPs (aliases) to each server in the DMZ say .0-16 for WAN and 17-32 > for WLAN then using > > $IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_0-16 -j MARK --set-mark 1 > and > $IPTABLES -t mangle -A PREROUTING -s $DMZ_IP_17-32 -j MARK --set-mark 2 > > then add > > ip rule add fwmark 1 table $WAN_TABLE > and > ip rule add fwmark 2 table $WLAN_TABLE > > > Sorry but that is all I can come up with at the moment. > > PJ -- Evan Borgstrom <evan@unixpimps.org> http://www.unixpimps.org http://www.ragga-jungle.com
