> I have one thing. I have 5 subnets with internal ips behind my firewall.
>And I wanted to masq every subnet with another inetrnet ip. For exapmle:
>
> 192.168.1.0 to 193.193.193.11
> 192.168.2.0 to 193.193.193.12
This is IP Source Routing and is NOT done via IP MASQ directly. Here is
an email about this exact issue and I think I'll add this to the HOWTO
as well.
--
> We want to be able to redirect from a source ip or network out via a
> given interface.
We're getting an increasing number of queries along these lines. To
quote Keith Owens (who I'm *still* chasing to write a mini-HOWTO for
iproute2) in answer to a similar routing question (see the ipchains
archives for `Re: Multiple Masquerading'). Basically, ignore the
parts about masquerading!
================
First you have to understand that ipchains runs *AFTER* the routing
system has decided where to send a packet. This ought to be stamped in
big red letters on all ipchains and ipmasq documentation (but since
when did users read documentation :). Get your routing right first,
then add ipchains and/or masq. Trying to make ipchains work on top of
incorrect routing is doomed to failure.
In your case you need to persuade the routing system to direct packets
from 192.168.1.x via 62.45.23.11 and packets from 192.168.2.x via
62.45.23.12. That is the hard part, adding masq on top of correct
routing is easy.
First compile and install iproute2. From its README.
Primary FTP site is:
ftp://ftp.inr.ac.ru/ip-routing/
Mirrors are:
ftp://linux.wauug.org/pub/net
ftp://ftp.nc.ras.ru/pub/mirrors/ftp.inr.ac.ru/ip-routing/
ftp://ftp.gts.cz/MIRRORS/ftp.inr.ac.ru/
ftp://ftp.funet.fi/pub/mirrors/ftp.inr.ac.ru/ip-routing/ (STM1 to USA)
ftp://sunsite.icm.edu.pl/pub/Linux/iproute/
ftp://ftp.sunet.se/pub/Linux/ip-routing/
ftp://ftp.nvg.ntnu.no/pub/linux/ip-routing/
ftp://ftp.crc.ca/pub/systems/linux/ip-routing/
ftp://ftp.paname.org/ (France)
ftp://donlug.ua/pub/mirrors/ip-route/
ftp://omni.rk.tusur.ru/mirrors/ftp.inr.ac.ru/ip-routing/
RPMs are available at:
ftp://omni.rk.tusur.ru/Tango/
ftp://ftp4.dgtu.donetsk.ua/pub/RedHat/Contrib-Donbass/KAD/
The "iprule" and "iproute" commands and the same as "ip rule" and "ip
route", I prefer the former, it is easier to search for. All the
commands below are completely untested, if they do not work, RTFM.
The first few commands only need to be done once at boot, say in
/etc/rc.d/rc.local.
# Allow internal LANs to route to each other, no masq.
/sbin/iprule add from 192.168.0.0/16 to 192.168.0.0/16 table main pref 100
# All other traffic from 192.168.1.x is external, handle by table 101
/sbin/iprule add from 192.168.1.0/24 to 0/0 table 101 pref 102
# All other traffic from 192.168.2.x is external, handle by table 102
/sbin/iprule add from 192.168.2.0/24 to 0/0 table 102 pref 102
These commands need to be issued when eth0 is configured. Perhaps in
/etc/sysconfig/network-scripts/ifup-post. Do them by hand first to
make sure they work.
# Table 101 forces all assigned packets out via 62.45.23.11
/sbin/iproute add table 101 via 62.45.23.11
# Table 102 forces all assigned packets out via 62.45.23.12
/sbin/iproute add table 102 via 62.45.23.12
At this stage, you should find that packets from 192.168.1.x to the
outside world are being routed via 62.45.23.11, packets from
192.168.2.x are routed via 62.45.23.12.
Once routing is correct, now you can add ipchain rules. Trivial.
/sbin/ipchains -A forward -i ppp+ -j MASQ
If everything hangs together, the masq code will see packets being
routed out on 62.45.23.11 and 62.45.23.12 and will use those addresses
as the masq source address.
--
.----------------------------------------------------------------------------.
| David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
!---- ----!
`----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
