policy-based routing and NAT with iptables

Discussion in 'Windows Networking' started by Florian Pressler, Feb 19, 2005.

  1. Hi!

    I try to setup policy-based routing under linux with iptables and ip
    route. I have two internet-connections with one public ip each, and i
    have a local network which is to be natted on those two ips (which one
    of those should depend on the portnumber).

    I have created two routing-tables with one default-route each. I have
    configured iptables so that packets with some port-numbers are marked.
    Those packets marked should receive the second routing-table.

    It all works wonderful, with one exception: The packets *which are
    marked* are not translated *back* by iptables' nat. I checked it with
    tcpdump: The packets are routed correctly. They are separated by
    port-numbers and sent out on both external interfaces. They also are
    natted correctly to the different ips. They come back as they should,
    but only the packets which arrive at the "main" entry (they had not been
    marked) are translated back and sent to the internal interface.

    The point is that there doesn't seem to be an error in the
    nat-configuration. Because when I swap the rules (which define which
    routing-table is to be looked up), it (not) works exactly the other way
    round. I do not touch the nat-rules themselves in this process.

    Can anybody give me a hint what the problem could be? Probably I should
    have a look at the state-machine of the different NATs (how?), what
    would you say?


    PS: a little config-snippet:

    # packets are classified with
    iptables -t mangle -A PREROUTING -m multiport -p tcp --dport 80,22 -j
    MARK --set-mark 2

    hostname:/home/airflow# ip rule show
    0: from all lookup local
    10: from all lookup main
    15: from all fwmark 2 lookup aon
    20: from all lookup default

    hostname:/home/airflow# ip route list table default
    default via dev eth0
    hostname:/home/airflow# ip route list table aon
    default dev ppp0 scope link

    # nat-configuration
    iptables -t nat -A POSTROUTING -o eth0 -s -j SNAT --to
    iptables -t nat -A POSTROUTING -o ppp0 -s -j MASQUERADE

    Chain POSTROUTING (policy ACCEPT)
    target prot opt source destination
    SNAT all -- hetzendorf.local/24 anywhere to:x.y.z.a
    MASQUERADE all -- hetzendorf.local/24 anywhere
    Florian Pressler, Feb 19, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.