Re: SNATed connections show as original ip in /proc/net/tcp

[Alexander Clouter <alex@digriz.org.uk>]

Noah McNallie <n0ah@n0ah.org> wrote:
>
>> Look into using 'ip rule' and a second routing table.
>>
>> http://lartc.org/howto/lartc.rpdb.html
>>
>> You will still need use iptables/MARK to do L4 (tcp/udp/etc) policy
>> routing though, however now you can dump the ugly SNATing.
>
> ok i'll stick it there i must have missed that browsing mailing lists last  
> night... uhh as far as ip rule i am using that, that's how i match the  
> packets with the firewall mark that need to go out a specific interface  
> and to a specific route... i don't believe ip rule has any option to match  
> packets based on destination port and change their source address and  
> route them out any specific interface, or i'd be doing that all along as  
> that would be much better.
> 
I read your original post as saying were using iptables and the SNAT 
action, I am suggesting you use 'ip rule' to say "if x/tcp or y/udp 
using routing table 'alternative'".  Might be easier if you actually put 
here the ip/iptables rules you are actually using?

In the alternative routing table you can say to use a different source 
IP and/or alternative default gateway address (using something like 'ip 
route ... src ... via ... dev').  As I mentioned before, as 'ip rule' 
only knows about IP addresses (and not tcp/udp/etc port numbers and what 
not) you will need to use iptables MARK action and the fwmark in 'ip 
rule' to get the L4 policy based routing you want.

By using a second routing table (as described in the LARTC link), you 
can stop using the 'iptables -j SNAT' I think you are using.  Then, 
hopefully all your netstat output for locally sourced traffic will be 
correct.

Cheers

-- 
Alexander Clouter
.sigmonster says: You will be married within a year, and divorced within two.