Why not use netfilter's SNAT and static routes via the route command? You can use route to define the outgoing path for specific traffic: For example: route add -net 192.168.0.0 netmask 255.255.0.0 dev eth1 -Matin On 6/8/05, Jeff Simmons <jsimmons@xxxxxxxxxxxxxxx> wrote: > OK, a little more specific. > > I have an iptables firewall with a server behind it. The server has a > non-routable address (192.168) so the firewall's IP address:port is DNAT'd > to the server's address:port. > > Incoming packets to the server first encounter the firewall's external > interface (EXT_IF), where the prerouting DNAT rule rewrites the IP layer > destination address (EXT_ADDR) to the server's address (SERV_ADDR). The > packet is then passed on to the routing function, which determines that the > packet needs forwarding via the internal interface (INT_IF). The packet is > then passed through any appropriate iptables forwarding chains, then to the > post-routing function of iptables (which in this case does nothing), and > finally out INT_IF to destination SERV_ADDR. > > There's a nice diagram of this at: > > http://www.policyrouting.org/PolicyRoutingBook/ONLINE/CH03.web.html > > down in section 3.3.2. > > Now, to the reply from the server. When the packet leaves the server, its IP > layer will show source SERV_ADDR destination REMOTE_ADDR. But when the packet > arrives at the remote, it will show source EXT_ADDR destination REMOTE_ADDR. > It gets rewritten somewhere. > > My understanding is the rewriting is done by the state engine, which basically > maintains a rule that any outbound packet SERV_ADDR:port -> REMOTE_ADDR:port > gets changed to EXT_ADDR:port -> REMOTE_ADDR:port. But where in the chain > does this happen? > > Scenario one: it happens on INT_IF prerouting. If this is the case, then I can > use source routing with iproute2. > > Scenario two: it happens on EXT_IF postrouting. Then iproute2 can't do the > kind of source routing I need to do, and I'll have to find another solution. > > (Note that with standard destination routing, it doesn't matter where the > packet gets rewritten. But with source routing it matters greatly.) > > The reality is, the box I'm working on has 4 T1s coming in, a DMZ with > routable IP addresses, and two LANS with non-routable addresses where both > contain servers that need to be contacted by the outside world via DNAT. It's > a big, messy, ugly project, but I need to know if I can use iproute2 to be > sure that return packets from all the servers go out the T1 they came in on. > > Any help, pointers, or FMs that I can RTFM would be GREATLY appreciated. > > -- > Jeff Simmons jsimmons@xxxxxxxxxxxxxxx > Simmons Consulting - Network Engineering, Administration, Security > > "You guys, I don't hear any noise. Are you sure you're doing it right?" > -- My Life With The Thrill Kill Kult > >
