Re[2]: [LARTC] simple dual Internet connection setup not sending return packets on correct interface

[diab <lartc@diab.org>]

>> 1) SNAT to the right source address, like
>> iptables -A POSTROUTING -j nat -t SNAT [-s from.where or -d to.where]\
>>          --to-source source.addr.of.eth0

BJM> Surely you mean -t nat -j SNAT?
sorry, yeah it was -t nat -j SNAT.. i double checked now :)

BJM> But these two iptables rules conflict with each other.  If -s
BJM> "from.where" is my internal lan and the same in both rules, they are
BJM> both trying to do the SNATting of the same packets.  In my two rules, I
BJM> added a -o <iface> (where <iface> is the interface matching the
BJM> source.addr.of.<iface>).
yes they are conflicting with each other.. i thought that you could
select which connection the packets should be using either based on
the address the packets are coming FROM (-s some.ip.on.the.lan) or
going TO (-d wan.destination.address.).

BJM> I have:
BJM> ip rule add from 66.11.173.224 lookup 1
BJM> ip rule add from 24.235.240.15 lookup 2
anyways, you can "name" routing tables in /etc/iproute2/rt_tables
then it makes a bit more sense ("ip rule" also displays/uses them so eg.
if you name 1 to "abcd" then
ip rule add from x.x.x.x lookup abcd
also works.

iif is the interface packets are coming in (there is also oif).. if
it's not a static ip address it might be convenient not having to use
the IP of the connection but the interface. (same goes for the "via
XX when you are doing "ip route add default dev XY table N")

if you do "man ip" it reads (ip rule add/ip rule del):

iif NAME
  select  the  incoming  device  to match.  If the interface is
  loopback, the rule only matches packets originating from
  this host.  This means that you may create separate routing tables for
  forwarded and local packets  and,  hence,  com­
  pletely segregate them.

-
diab


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/