policy-based routing and NAT with iptables

From: Florian Pressler (airflow.2007_at_gmail.com)
Date: 02/19/05 

Date: Sat, 19 Feb 2005 03:45:43 +0100

Hi!

I try to setup policy-based routing under linux with iptables and ip
route. I have two internet-connections with one public ip each, and i
have a local network which is to be natted on those two ips (which one
of those should depend on the portnumber).

I have created two routing-tables with one default-route each. I have
configured iptables so that packets with some port-numbers are marked.
Those packets marked should receive the second routing-table.

It all works wonderful, with one exception: The packets *which are
marked* are not translated *back* by iptables' nat. I checked it with
tcpdump: The packets are routed correctly. They are separated by
port-numbers and sent out on both external interfaces. They also are
natted correctly to the different ips. They come back as they should,
but only the packets which arrive at the "main" entry (they had not been
marked) are translated back and sent to the internal interface.

The point is that there doesn't seem to be an error in the
nat-configuration. Because when I swap the rules (which define which
routing-table is to be looked up), it (not) works exactly the other way
round. I do not touch the nat-rules themselves in this process.

Can anybody give me a hint what the problem could be? Probably I should
have a look at the state-machine of the different NATs (how?), what
would you say?

regards,
Florian

PS: a little config-snippet:

# packets are classified with
iptables -t mangle -A PREROUTING -m multiport -p tcp --dport 80,22 -j
MARK --set-mark 2

hostname:/home/airflow# ip rule show
0: from all lookup local
10: from all lookup main
15: from all fwmark 2 lookup aon
20: from all lookup default

hostname:/home/airflow# ip route list table default
default via 84.113.191.1 dev eth0
hostname:/home/airflow# ip route list table aon
default dev ppp0 scope link

# nat-configuration
iptables -t nat -A POSTROUTING -o eth0 -s 172.21.31.0/24 -j SNAT --to
x.y.z.a
iptables -t nat -A POSTROUTING -o ppp0 -s 172.21.31.0/24 -j MASQUERADE

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- hetzendorf.local/24 anywhere to:x.y.z.a
MASQUERADE all -- hetzendorf.local/24 anywhere 

-- 
Homepage: http://fp.ath.cx/                    PGP-keyID: C9FEDBA2

Relevant Pages

  • Re: What is a default route??
    ... The default route is the next-hop used to send traffic with a destination ... is no specific route to a destination in the hosts routing table. ... alternate packets arrive at the destination server with a different ... Because you reply packets also get translated as they leave your routers. ...
    (comp.os.linux.misc)
  • Re: Static route via address, not interface
    ... >> and then add network route via router ... configuration (I have 172.22.2.0/24 segment attached with router ... Routing tables ... packets transmitted, 1 packets received, 0% packet loss ...
    (freebsd-net)
  • Re: IPCOP login help
    ... ping may be disabled or blocked ... question is why are packets destined for 192.168.1.1 being sent to ... This is probably because you don't have routing set up on that other PC. ... try 'route print' to see the routing table (there ...
    (comp.security.firewalls)
  • Re: Routing problems
    ... is to forward some of the packets ... > I'm no routing guru but from the setup described the ... > or put a static route on each host on the 10.X.X.X ... The 10.X.X.X subnet will never need to use any of the ...
    (freebsd-questions)
  • Re: VPN Gateway
    ... ip route? ... >>use my linux box as a gateway so that other computers on my LAN ... I've never used iptables. ... > No. IPtables has nothing to do with routing. ...
    (comp.os.linux.networking)