I have a special setup (see diagram).
193.226.a.240/29
/--------\-ISP 1-----+eth0-----------+ +-L
|Internet| |Router+Firewall|-eth1-+-A 193.226.241.240/29
\--------/-ISP 2-----+eth2-----------+ +-N
10.0.0.224
Here's the problem: one computer from the lan (say 193.226.241.241) has
to talk SSH to a server on the internet via ISP 2. All other
connections to said server must go via the default route via ISP 1.
First attempt:
1. ipchains -A input -s 193.226.241.241 -d SERVER 22:22 -p tcp -m 42 -j
ACCEPT
This marks the required packets with 42 :)
2. ip rule add from 193.226.241.241 fwmark 42 nat 10.0.0.224 table 42
This should change the source ip for the packets marked in step 1 (and
it happens as tcpdump shows packets with source ip 10.0.0.224)
3. ip route add SERVER via 10.0.0.1 src 10.0.0.224 dev eth2 table 42
This should send the NATed packets via ISP 2.
Step 3 doesn't happen. Tcpdump shows packets NATed going out eth0.
Second attempt: switch to iptables and kernel 2.4.18
Similar rules but same behavior. Packets get changed but do not go out
via the right interface.
It looks like the combination of nat & marking packets & policy routing
doesn't work. Any combination of 2 out of 3 (ie. nat + marking or
marking + policy routing) works. There was a message on the list
explaining why this doesn't work but I was hoping it would get fixed.
Eventually I solved the problem: assign an alias on the server
(193.226.241.242), used SNAT to change SSH packets going to SERVER so
they appear as coming from 193.226.241.242 instead of 193.226.241.241.
On the firewall/router i used just snat:
iptables -t nar -A POSTROUTING -s 193.226.241.242 -d SERVER -j SNAT
--to-source 10.0.0.224
ip rule add from 193.226.241.242 table 42
ip route add SERVER via 10.0.0.1 dev eth2 table 42
ip route flush table cache
This setup is a bit difficult and involves doing SNAT on both computers
but it works so far :)
I would have preffered to solve this problem on the router only. Any
ideas?
