I have sort of a combination problem of this type. I did the routes in section 4.2 of the Advanced Routing HOwTO and that was OK, but now I need to have everything go out interface ppp0 except mail which must go out eth1 and I need whatever goes out eth1to have a certain ip address and whatever goes out ppp0 to have a certain ip address. What I did was to use table mail.out like in the example in the howto like this: ip rule add fwmark 1 table mail.out||exit 1 ip route add default via <remote gateway for eth1> dev eth1 table mail.out||exit 1 Then I issued the following iptable commands iptables -t mangle -A PREROUTING -i eth1 -p tcp --dport 25 -j MARK --set-mark 1 iptables -t nat -A POSTROUTING -o eth1 -j SNAT -p tcp --sport 25 --to <ip address for eth1> iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to <ip address for ppp0> I thought I would need something for the output chain as well, but I kept getting invalid argument when I tried to put the same rule into the output chain like the one I put into the POSTROUTING chain. So what am I doing wrong here? Thanks. on Mon, 24 Feb 2003 22:11:38 -0500 Joel Newkirk <netfilter@xxxxxxxxxx> wrote: > > Yep. DNAT changes the destination, the FINAL destination. Everything > you DNAT with this rule is sent TO the router, not THROUGH the router. > > You want to work with routing instead of NAT, because you only want to > change the route used to reach that destination. The Linux Advanced > Routing and Traffic Control Howto ( http://lartc.org/howto ) has a > helpful section "Routing for Multiple Uplinks" at > http://lartc.org/howto/lartc.rpdb.multiple-links.html that should tell > you what you want. > > Basically you need to create 2 routing tables, with an upstream router as > the default route in each. Make the 'main' router the overall default, > and the secondary router has a rule that sends specific traffic to it. > You can source-route ("Prev" from the Multiple-Uplink section linked > above) just with the routing configuration, or you can use the MARK > target in mangle PREROUTING with iptables to flag the traffic destined > for it, and then set up a routing rule based on the fwmark, as explained > in http://lartc.org/howto/lartc.netfilter.html . From what you > outlined, source routing is your simplest solution, and won't directly > involve iptables at all. MARK is more useful in situations where you > need to send specific types of traffic, rather than specific sources, > through a different route. > > j -- John Covici covici@xxxxxxxxxxxxxx
