On Mon, 28 Feb 2000 [EMAIL PROTECTED] wrote:
> > However, this won't work for some reason. Can the IP masquerading code work
> > with the advanced router, multiple routing tables etc.? Or is there another
> > solution anyone can think of?
> Did you try to look at the documentation coming with source
> of iproute package?
> No ipchains is needed to do masquerading...
Yes, I did really try to understand the IP Command Reference that comes
with iproute2.
Let me show you my problem with an example:
The IP of my firewall on the internal net is 192.168.10.199/24.
---
# the main routing table
kerberos:~# ip route ls
<provider-net>/24 dev eth1 proto kernel scope link src <provider-myip>
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.199
default via <provider> dev eth1
# the set of rules
kerberos:~# ip rule ls
0: from all lookup local
32765: from 192.168.10.0/24 lookup 70 masquerade
32766: from all lookup main
32767: from all lookup default
# routing table 70
kerberos:~# ip route ls table 70
<provider-net>/24 dev eth1 proto kernel scope link src <provider-myip>
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.199
default via <provider-gw> dev eth1
---
The problem is, when I delete the default route from the main routing
table, I can't get any packets out from subnet 192.168.10.0/24. Ie the
kernel ignores my default route for packets coming from 192.168.10.0/24.
However, I need to define different default routes because we have two
companies with two different ISPs connected to one firewall ;-)
It seems that when I use masquerading, the kernel always uses the default
route in routing table main regardless where the packet came from.
Possibly the masquerading is done first, and then the packet has another
"source" address (the address of my firewall) and thus won't be matched by
my rule to use routing table 70.
Is there anyone who knows how the masquerading is done in the advanced
router code and if there is a possible solution to this problem?
regards
Alex
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
