How to select IP address for outgoing packets?

Discussion in 'Linux Networking' started by Graham Murray, Apr 28, 2005.

  1. For reasons which are not important here, I have a linux system (SuSE
    9.3, if that makes any difference) which acts as the NAT router for a
    LAN. This has 2 NICs, one of which connects to an ADSL router which
    presents a /29 (the interface of this router is also using an address
    within the /29)[1], the other connects to the internal LAN. All but 1 of
    the 'external' addresses are NAT'd to various systems/services on the
    LAN, with one of the external addresses being 'reserved' for services
    running on the Linux system itself. In order to do this I have had to
    associate 5 of the /29 addresses with the 'external' NIC using the
    iproute2 tools.

    I have no problems with routing incoming packets to the correct
    system, nor with setting the correct outgoing IP address (using
    iptables 'nat' table) for connections originating from other systems
    on the LAN.

    However I have been unable to force outgoing connections from the
    Linux system to use the IP address which I want. For most things this
    does not matter but I have the requirement to set up a VPN, which
    requires fixed endpoint addresses, from this system. I have tried
    setting the source address in the 'ip route' command, but this has no
    effect. I tried setting SNAT in the iptables 'nat' OUTPUT table, but
    SNAT is not valid in that table.

    [1] I know that this is not the best setup, but the ISP supplied the
    ADSL router and we do not have access to change its configuration.
    Graham Murray, Apr 28, 2005
    1. Advertisements

  2. You must:

    1) Route your VPN traffic to a particular network interface (based upon
    src/dst host or src/dst port), using the iproute2 package. This is linux
    policy routing. See
    2) NAT the outgoing traffic on that interface, using one of the public IP
    you have, using iptables in the POSTROUTING table.

    You could also 'mark' your traffic, and use iptables to NAT it accordingly
    to the mark set. You do this with both iproute2 and iptables.

    Hope that helps.
    Vincent Jaussaud, Apr 28, 2005
    1. Advertisements

  3. Source based routing is what you are after.

    You create a custom routing table for the VPN traffic and set its 'default
    route' to use a particular source address.

    In your system (main) routing table you have a route that simply tells the
    kernel to use your custom table for 'vpn' traffic.

    Have fun

    Alexander Clouter, Apr 28, 2005
  4. Okay, I'm going to actually read this and answer correctly =)

    Bad Idea(tm), I would highly recommend *against* doing this as you are
    pointlessly using connection tracking for a task there is no need to, as in
    my other 'quick' post use the 'source based' routing method described there.
    I think you have to compile an option into the kernel firstly to support
    this, OUTPUT chain 'nat' table action. However really in all the programs I
    see this being done in/with its handled on the application layer, not the
    kernel layer. Squid for example does just this, you tell it which IP address
    to source its packets from (when its initiating connections). You probably
    actually want to look to 'binding' your program to a particular IP, this is
    obviously is assuming if it does not have to speak to multiple subnets

    The routing system in the kernel has no idea of anything other than layer 3
    (IP) traffic, TCP/UDP occurs on layer 4; I never can remember the OSI table
    properly :) I think you are looking to bind your services to particular IP's
    on the local interfaces rather than the usual '', aka all IP's which
    means it picks the IP linked to the default gateway by default.

    Have fun

    Alexander Clouter, Apr 28, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.