From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Samad Date: Thu, 25 Oct 2007 21:16:13 +0000 Subject: Re: [LARTC] One machine, two net feeds, outbound route selection Message-Id: <20071025211613.GP26246@samad.com.au> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============2117439638==" List-Id: References: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> In-Reply-To: <59f980d60710241725p5ca9cca2ueb5edc12675f62e3@mail.gmail.com> To: lartc@vger.kernel.org --===============2117439638== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6J7GEvtanOfV9oXA" Content-Disposition: inline --6J7GEvtanOfV9oXA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 25, 2007 at 02:00:14PM -0400, Ben Scott wrote: > On 10/25/07, Peter Rabbitson wrote: > > Unfortunately not easy without doing local NAT (from the local interface > > to another local interface). Can you use marking, mark the packet in the mangle table, us iptables to se= lect=20 the which packets and then use ip rules fw mark -> routing table (sorry abo= ut=20 the syntax) >=20 > I thought that might be the case. I even started to write a rule > about how the NAT might work... but then I ran into brain pain trying > to figure out how, because I didn't know when the packets get what > address/interface info assigned to them, and I didn't know how SNAT > would interact with the routing tables. Normally, I do SNAT in the > POSTROUTING chain, but by then the routing rules have already run, > right? So the packet would still be bound for the wrong interface, > even if the source address is translated. No? >=20 > In other words, let's say $DEF_ADDR is the IP address of the > interface that is going to be picked by the default routing table, but > I really want the packets to go out the $ALT_ADDR interface. So I try > this: >=20 > iptables -t nat -A POSTROUTING -s $DEF_ADDR -p tcp --dport smtp -j > SNAT --to $ALT_ADDR >=20 > But the whole point of changing the source address/interface is to > influence which routing rules match, and those have already been > applied by the time the packet transverses the POSTROUTING chain, > right? In any event, that didn't work. >=20 > So then I thought, well, maybe I can do SNAT in the PREROUTING chain > for this? But in that case, the kernel won't have assigned it an > address yet, right? So there's nothing to SNAT. And I can't do "-s > 0/0" because that actually means "match all packets", right? >=20 > So then I thought, well, maybe I can mark the packet in the OUTPUT > chain of the mangle table, and match that in the routing rules, and > *also* match that in the POSTROUTING chain: >=20 > iptables -t mangle -A OUTPUT -s $DEF_ADDR -p tcp --dport smtp -j MARK > --set-mark 42 > ip rule add fwmark 42 table 42 > iptables -t nat -A POSTROUTING -m mark --mark 42 -j SNAT --to-source $ALT= _ADDR >=20 > I think I tried that and it didn't work either. It was getting late > and my maintenance window was closing and my brain hurt. >=20 > If this is just one of those "you can't do that" situations, I'm > willing to accept that answer. But if there is a way, I'd like to > know what it is. :) >=20 > -- Ben > _______________________________________________ > LARTC mailing list > LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc >=20 --6J7GEvtanOfV9oXA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFHIQedkZz88chpJ2MRAvnIAJ9tQknfjoLN44rUVozMkGZrbLv/RQCfZlvD 0AELS23fH7QF5GtU+jSdQ6g= =P/yy -----END PGP SIGNATURE----- --6J7GEvtanOfV9oXA-- --===============2117439638== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============2117439638==--