Re: route/nat

From: Tauno Voipio (tauno.voipio_at_INVALIDiki.fi)
Date: 10/26/05 

Date: Wed, 26 Oct 2005 16:52:49 GMT

Hendrik Greving wrote:
> Are you sure, that nat is done prior routing? I thought it's different
> because I'm in the POSTROUTING chain using iptables. Currently,
> everything works like that.
>
> The problem is, currently, the default route goes to interface "vpnlink"
> (interface of vpnc) and I use
>
> iptables -t nat POSTROUTING [..] -o vpnlink MASQUERADE
>
> What I'd like to have is, to determine a certain group of ip addresses,
> say 0-127 is applied with nat and are routed to vpnlink, and the rest,
> say 128-254 shuold be routed (and nat) to my DSL (ppp) interface ppp0.
>
> I'm not very familiar with this stuff, hope everything is correct. Is
> the rule above possible to achieve?

Add routing rules to your routing table for
the desired address ranges, and another
NAT line for the direct interface (ppp0).
(I guess that the DSL is running PPPoE).

The interface specifications will pick
the packets for different NAT rules.

Which IP addresses do you mean: local
net or destination addresses?

In principle, the default route picks all
packets which are not routed by any other
routing rule, so it is sufficient to pick
those destination IPs that are intended
to be sent via the tunnel. The selection
is made based on the destination IP and
netmask in the routing rule. The rules
are scanned with the tightest rules first
(those with most '1' bits in mask). This
makes it possible to pick a subrange off
some other range. 

-- 
Tauno Voipio
tauno voipio (at) iki fi