Grant, Luis With your help, I have found the magic commands to make this work! Thanks again! For your, and anyone else's interest, the answer is: ====================== IPTABLES commands ================================= #!/bin/sh IPTABLES="/sbin/iptables" # prevent incoming packets on masqueraded connections from being dropped # as "martians" due to the destination address being translated before the # rp_filter check is performed # MATT NOTES: this does not seem to be necessary... #echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter #echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter #Time to clean house #Clear out any existing firewall rules, and any chains that might have #been created $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X #Setup our policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT #This enables ip forwarding, and thus by extension, NAT echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe iptable_nat #Our actual rules #Our NAT stuff #Source NAT everything heading out the external interface to be the #given IP. $IPTABLES -t nat -A POSTROUTING -o eth1 -j SNAT --to 100.100.251.218 $IPTABLES -t nat -A POSTROUTING -o eth2 -j SNAT --to 200.200.64.140 #Mark incoming packets for later routing $IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark $IPTABLES -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 11 $IPTABLES -t mangle -A PREROUTING -i eth2 -j MARK --set-mark 12 #save mark on outgoing packets $IPTABLES -t mangle -A POSTROUTING -j CONNMARK --save-mark #These are the rules for publishing the internal server $IPTABLES -t nat -A PREROUTING -i eth1 -p tcp --dport 56100 -j DNAT --to 192.168.0.5 $IPTABLES -t nat -A PREROUTING -i eth2 -p tcp --dport 56100 -j DNAT --to 192.168.0.5 ================== IPROUTE2 STUFF =========================== # Set up supplementary routing tables ip route add 100.100.251.216/29 dev eth1 src 100.100.251.218 table T1 ip route add default via 100.100.251.217 table T1 ip route add 200.200.64.136/29 dev eth2 src 200.200.64.140 table T2 ip route add default via 200.200.64.137 table T2 # Not necessary as these routes are added by configuring network cards #ip route add 100.100.251.216/29 dev eth1 src 100.100.251.218 #ip route add 200.200.64.136/29 dev eth2 src 200.200.64.140 # set default route for traffic originating from this machine to go via third router # not necessarily what other people may want to do, as you may want outgoing traffic # going through eth1/eth2 in some load balanced way ip route add default via 192.168.0.252 ip rule add from 100.100.251.218 table T1 ip rule add from 200.200.64.140 table T2 #not sure what this does, but is recommended in Advanced Routing HOWTO ip route add 192.168.0.0/24 dev eth0 table T1 ip route add 200.200.64.136/29 dev eth2 table T1 ip route add 127.0.0.0/8 dev lo table T1 ip route add 192.168.0.0/24 dev eth0 table T2 ip route add 100.100.251.216/29 dev eth1 table T2 ip route add 127.0.0.0/8 dev lo table T2 #route based on mark ip rule add fwmark 11 table T1 ip rule add fwmark 12 table T2 ================================================ Regards, Matt.
