Antony Stone wrote:
> On Friday 13 August 2004 5:42 pm, dravya wrote:
>
>> Hello all,
>>
>> I have a system setup with two phones/interfaces (ppp0 and ppp1). I
>> access the internet via these two interfaces only.
>>
>> I have the following rules in my iptables:
>>
>> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>> iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
>>
>> and yet when a machine on my network uses my machine as the gateway
>> to ping outside, packets travel on the wrong link causing change of
>> ip address of the phones. I have tested this using ethereal and it
>> clearly shows a ppp0 packet (src add of ppp0) outgoing on ppp1, as I
>> was capturing on ppp1. Also, iptables is masquerading as it shows
>> the number of packets it masqueraded.
>
> I agree with you that the above rules ought to ensure that packets
> going out of each interface have the appropriate source address.
>
> What does your routing table look like (presumably you are using
> iproute2 to balance traffic, or route based on source etc, to share
> the two links)?
I've run into this in the past. The reason that netfilter doesn't
conntrack back to the same interface is because Netfilter doesn't
regularly do routing (interface isn't kept in the conntrack table). I've
fixed this problem myself by policy routing all traffic, then binding
them to return to the same interface.
This is done be utilizing the MARK and CONNMARK extensions.
So, an example in your case would be:
MY_POLICY_ETH0=1
MY_POLICY_ETH1=2
MY_POLICY_DEFAULT=2
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -i ${INET1} -m mark ! --mark 0
-j ACCEPT
iptables -t mangle -A PREROUTING -i ${INET1} -m mark --mark 0 -j
MARK ${MY_POLICY_ETH0}
iptables -t mangle -A PREROUTING -i ${INET2} -m mark --mark 0 -j
MARK ${MY_POLICY_ETH1}
iptables -t mangle -A PREROUTING -i ${INET3} -m mark --mark 0 -j
MARK ${MY_POLICY_DEFAULT}
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Make sure to do the same for the OUTPUT chain if you have the same issue
with locally sourced data. iproute2 would have two routing tables
exactly like the main table except that the default route points to
favor the interface you'd like to output traffic too.
# ip route list table 1
..
default via <ext_gw_eth0> dev eth0 src <ext_ip_eth0>
# ip route list table 2
..
default via <ext_gw_eth1> dev eth1 src <ext_ip_eth1>
I'm assuming you have a working knowledge of iproute2. Please follow up
if you need more help.
