Re: Newbie question about NAT and forwarding

[Pascal Hambourg <pascal.mail@plouf.fr.eu.org>]

Hello,

Danny Rathjens a écrit :
> felix@crowfix.com wrote:
[...]
>> What iptables commands would I used to route non-SMTP packets between,
>> say, eth0 (local net, static real addresses) and eth1 (broadband DHCP)?
> 
> Just follow normal procedure for NAT of traffc using and us broadband as 
> default route:
> route add default gw $broadband_gateway

And for NAT :
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

MASQUERADE is because eth1's address is dynamic. Else SNAT could be used 
instead.

> Then you just need to route the smtp traffic through your dial-up.
> 
> iptables -A PREROUTING -i eth0 -t mangle -p tcp --dport 25 -j MARK 
> --set-mark 2
> echo 202 mail >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table mail
> ip route add default via $dialup_gateway dev eth0 table mail
                                            ^^^^^^^^
"dev ppp0" would be better IMHO.

If source address validation is enabled, don't forget to disable it on 
the non-default interface :

sysctl -w net/ipv4/conf/ppp0/rp_filter=0

If net/ipv4/conf/default/rp_filter=1, you'll have to do this every time 
after ppp0 is created. If net/ipv4/conf/default/rp_filter=0 before ppp0 
is created, net/ipv4/conf/ppp0/rp_filter will be automatically set to 0.

One remark : if there is SMTP traffic from a local host with a private 
address, this  traffic will be routed via ppp0 but must be NATed with 
any public address routed on the dialup link. If it is not NATed, it 
will go out with its original private source address and that's not good.

Note to Felix : you don't need to define and use a table name in 
/etc/iproute2/rt_tables. It just makes routes and routing rules more 
readable. You can use a table number in the range 1-252 instead.