[LARTC] Policy Routing and NAT

[Robert Felber <r.felber@ek-muc.de>]

[-- Attachment #1: Type: text/plain, Size: 1681 bytes --]

Hi, 

is there an issue with policy-routing and/or NAT?
I've been trying for months now to DNAT a host in a LAN.
The router has 3 NICs, 2 of them are connected to a) the internet
and b) an extranet. Now a host XYZ is visible with a unique IP on
both, the internet and extranet. I'll give you a little tcpdump fragment:
(eth0: inet, eth1: LAN, eth2: secured internet (extranet))
network 62.156.190. not administrable (t-systems).

eth0 < 62.156.190.37.48495 > 62.225.182.35.http
eth1 > 62.156.190.37.48495 > 192.168.0.3.http
eth1 < 192.168.0.3.http > 62.156.190.37.48495
eth2 > 62.225.182.35.http > 62.156.190.37.48495

as you can see, the packet leaves the wrong device.
I've already tried iproute2 rules like:

$IP route add table 2 via $INET_ROUTER dev eth0
$IP rule add from 62.225.182.32/29 lookup 2


also i don't understand why the router NATs it with 62.225.182.35 when
the postrouting rule is:

$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.0.3 \
 -j SNAT --to-source 62.225.182.35

(if you want to understand the full script look at
 http://robtone.mine.nu/ipt-set.txt )

Any suggestions or hints would be more than appreciated, thanks. :)


-- 
| Robert Felber (System-Administrator)            Tel: +49 (0) 89 / 453 12-86 |
| Autohaus Erich Kuttendreier                     Fax: +49 (0) 89 / 453 12-80 |
| Drosselweg 21                                   ICQ:              170059451 |
| 81827 Muenchen                                  PGP:               896CF30B |
|                                                                             |
| PGP-Fingerprint: CF36 AA93 9716 63E8 962F 15CC A80E 1A79 BF77 25EA          |

[-- Attachment #2: Type: application/pgp-signature, Size: 187 bytes --]