How to select IP address for outgoing packets?

For reasons which are not important here, I have a linux system (SuSE
9.3, if that makes any difference) which acts as the NAT router for a
LAN. This has 2 NICs, one of which connects to an ADSL router which
presents a /29 (the interface of this router is also using an address
within the /29)[1], the other connects to the internal LAN. All but 1 of
the 'external' addresses are NAT'd to various systems/services on the
LAN, with one of the external addresses being 'reserved' for services
running on the Linux system itself. In order to do this I have had to
associate 5 of the /29 addresses with the 'external' NIC using the
iproute2 tools.

I have no problems with routing incoming packets to the correct
system, nor with setting the correct outgoing IP address (using
iptables 'nat' table) for connections originating from other systems
on the LAN.

However I have been unable to force outgoing connections from the
Linux system to use the IP address which I want. For most things this
does not matter but I have the requirement to set up a VPN, which
requires fixed endpoint addresses, from this system. I have tried
setting the source address in the 'ip route' command, but this has no
effect. I tried setting SNAT in the iptables 'nat' OUTPUT table, but
SNAT is not valid in that table.

[1] I know that this is not the best setup, but the ISP supplied the
ADSL router and we do not have access to change its configuration.

>
> However I have been unable to force outgoing connections from the
> Linux system to use the IP address which I want. For most things this
> does not matter but I have the requirement to set up a VPN, which
> requires fixed endpoint addresses, from this system. I have tried
> setting the source address in the 'ip route' command, but this has no
> effect. I tried setting SNAT in the iptables 'nat' OUTPUT table, but
> SNAT is not valid in that table.
>

You must:

1) Route your VPN traffic to a particular network interface (based upon
src/dst host or src/dst port), using the iproute2 package. This is linux
policy routing. See http://lartc.org
2) NAT the outgoing traffic on that interface, using one of the public IP
you have, using iptables in the POSTROUTING table.

You could also 'mark' your traffic, and use iptables to NAT it accordingly
to the mark set. You do this with both iproute2 and iptables.

Hope that helps.

> [1] I know that this is not the best setup, but the ISP supplied the
> ADSL router and we do not have access to change its configuration.

--
Kelkoo Security Manager / Networks & Systems Architect
JID: (E-Mail Removed) / Vincent.Jaussaud.AT.kelkoo.DOT.net
Kelkoo.com --- GNU/Linux Powered

On 2005-04-28, Graham Murray <(E-Mail Removed)> wrote:
> [snipped]
>
> However I have been unable to force outgoing connections from the
> Linux system to use the IP address which I want. For most things this
> does not matter but I have the requirement to set up a VPN, which
> requires fixed endpoint addresses, from this system. I have tried
> setting the source address in the 'ip route' command, but this has no
> effect. I tried setting SNAT in the iptables 'nat' OUTPUT table, but
> SNAT is not valid in that table.
>
> [1] I know that this is not the best setup, but the ISP supplied the
> ADSL router and we do not have access to change its configuration.
>
Source based routing is what you are after.

http://lartc.org/howto/lartc.rpdb.html

You create a custom routing table for the VPN traffic and set its 'default
route' to use a particular source address.

In your system (main) routing table you have a route that simply tells the
kernel to use your custom table for 'vpn' traffic.

Have fun

Alex

Okay, I'm going to actually read this and answer correctly =)

On 2005-04-28, Graham Murray <(E-Mail Removed)> wrote:
> [snipped]
>
> I have no problems with routing incoming packets to the correct
> system, nor with setting the correct outgoing IP address (using
> iptables 'nat' table) for connections originating from other systems
> on the LAN.
>
Bad Idea(tm), I would highly recommend *against* doing this as you are
pointlessly using connection tracking for a task there is no need to, as in
my other 'quick' post use the 'source based' routing method described there.

> However I have been unable to force outgoing connections from the
> Linux system to use the IP address which I want. For most things this
> does not matter but I have the requirement to set up a VPN, which
> requires fixed endpoint addresses, from this system. I have tried
> setting the source address in the 'ip route' command, but this has no
> effect. I tried setting SNAT in the iptables 'nat' OUTPUT table, but
> SNAT is not valid in that table.
>
> [1] I know that this is not the best setup, but the ISP supplied the
> ADSL router and we do not have access to change its configuration.
>
I think you have to compile an option into the kernel firstly to support
this, OUTPUT chain 'nat' table action. However really in all the programs I
see this being done in/with its handled on the application layer, not the
kernel layer. Squid for example does just this, you tell it which IP address
to source its packets from (when its initiating connections). You probably
actually want to look to 'binding' your program to a particular IP, this is
obviously is assuming if it does not have to speak to multiple subnets
directly.

The routing system in the kernel has no idea of anything other than layer 3
(IP) traffic, TCP/UDP occurs on layer 4; I never can remember the OSI table
properly I think you are looking to bind your services to particular IP's
on the local interfaces rather than the usual '0.0.0.0', aka all IP's which
means it picks the IP linked to the default gateway by default.

Have fun

Alex