All of lore.kernel.org
 help / color / mirror / Atom feed
From: Miron <miron@hyper.to>
To: lartc@vger.kernel.org
Subject: [LARTC] Masq/route based on port
Date: Thu, 06 Dec 2001 09:58:14 +0000	[thread overview]
Message-ID: <marc-lartc-100763276115592@msgid-missing> (raw)

I have following setup:

- eth0 is an internal network
- eth1 is an Internet connection (IP = 1.1.1.128, GW=1.1.1.1)
- eth2 is another Internet connection (IP = 2.2.2.128, GW=2.2.2.1)

I would like to masquerade port 80 through eth2, but all other traffic 
should be masq'ed through eth1.

My routing configuration:

    (default route in main table is 1.1.1.1)

    ip rule add fwmark 2 pref 1002 table 666

    ip route flush table 666
    ip route add default via 2.2.2.1 dev eth3 proto static table 666
    ip route flush cache

My firewall configuration:
    iptables -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -j MARK 
--set-mark 2
    iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source 1.1.1.128
    iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source 2.2.2.128

Unfortunately, this does not work.  Outgoing packets are fine.  Incoming 
packets on port 80 are not de-masqueraded and do not reach the internal 
hosts.

Also, if I change the ip rule above to be based on the source address 
(instead of a mark), connections start working fine.

Here is the output of 'ip rule ls', to prove that I do have fwmark compiled:
    0:      from all lookup local
    1002:   from all fwmark        2 lookup http
    32766:  from all lookup main
    32767:  from all lookup 253

I am wondering if there is some kind of bug related to the interaction 
between fwmark and NAT. Any ideas?

Thanks,
Miron Cuperman



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

             reply	other threads:[~2001-12-06  9:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2001-12-06  9:58 Miron [this message]
2001-12-06 15:18 ` [LARTC] Masq/route based on port Greg Scott
2001-12-06 19:03 ` Miron
2001-12-06 23:18 ` Greg Scott
2001-12-07  6:34 ` Miron
2001-12-07  8:17 ` Miron

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=marc-lartc-100763276115592@msgid-missing \
    --to=miron@hyper.to \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.