Re: [LARTC] One machine, two net feeds, outbound route selection

[Alex Samad <alex@samad.com.au>]

[-- Attachment #1.1: Type: text/plain, Size: 2715 bytes --]

On Thu, Oct 25, 2007 at 02:00:14PM -0400, Ben Scott wrote:
> On 10/25/07, Peter Rabbitson <rabbit+list@rabbit.us> wrote:
> > Unfortunately not easy without doing local NAT (from the local interface
> > to another local interface).

Can you use marking, mark the packet in the mangle table, us iptables to select 
the which packets and then use ip rules fw mark -> routing table (sorry about 
the syntax)



> 
>   I thought that might be the case.  I even started to write a rule
> about how the NAT might work... but then I ran into brain pain trying
> to figure out how, because I didn't know when the packets get what
> address/interface info assigned to them, and I didn't know how SNAT
> would interact with the routing tables.  Normally, I do SNAT in the
> POSTROUTING chain, but by then the routing rules have already run,
> right?  So the packet would still be bound for the wrong interface,
> even if the source address is translated.  No?
> 
>   In other words, let's say $DEF_ADDR is the IP address of the
> interface that is going to be picked by the default routing table, but
> I really want the packets to go out the $ALT_ADDR interface.  So I try
> this:
> 
> iptables -t nat -A POSTROUTING -s $DEF_ADDR -p tcp --dport smtp -j
> SNAT --to $ALT_ADDR
> 
>   But the whole point of changing the source address/interface is to
> influence which routing rules match, and those have already been
> applied by the time the packet transverses the POSTROUTING chain,
> right?  In any event, that didn't work.
> 
>   So then I thought, well, maybe I can do SNAT in the PREROUTING chain
> for this?  But in that case, the kernel won't have assigned it an
> address yet, right?  So there's nothing to SNAT.  And I can't do "-s
> 0/0" because that actually means "match all packets", right?
> 
>   So then I thought, well, maybe I can mark the packet in the OUTPUT
> chain of the mangle table, and match that in the routing rules, and
> *also* match that in the POSTROUTING chain:
> 
> iptables -t mangle -A OUTPUT -s $DEF_ADDR -p tcp --dport smtp -j MARK
> --set-mark 42
> ip rule add fwmark 42 table 42
> iptables -t nat -A POSTROUTING -m mark --mark 42 -j SNAT --to-source $ALT_ADDR
> 
>   I think I tried that and it didn't work either.  It was getting late
> and my maintenance window was closing and my brain hurt.
> 
>   If this is just one of those "you can't do that" situations, I'm
> willing to accept that answer.  But if there is a way, I'd like to
> know what it is.  :)
> 
> -- Ben
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> 

[-- Attachment #1.2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc