Re: Linux 2.2, iproute2, policy routing AND masquerading...

Date: Thu Mar 02 2000 - 14:17:36 EST

On Sun, 27 Feb 2000, Alexander List wrote:

> Hello,
> I have a problem ;-) and couldn't find an answer in the docs, newsgroups
> or mailing list archives so I'm trying this list as a last resort...
> The following is symbolic, so you can get the picture...
> We have two companies sharing LAN infrastructure and ONE firewall, but we have
> two different ISPs. Traffic from company1 should go out via ISP1, traffic from
> company2 should go out via ISP2. Of course, we have only one IP address per
> ISP because we are two very small companies, and of course no chance to get a
> routing protocol like RIP or so.
> I read somewhere that Linux 2.2 supports policy routing, so I gave it a try...
> # first, switch on interfaces ;-)
> ip link set lo up # loopback interface
> ip link set eth0 up # interface to company1 LAN
> ip link set eth1 up # interface to company2 LAN
> ip link set eth2 up # interface to external LAN (ISPs)
> # loopback
> ip addr add dev lo
> # private IP network of company1
> ip addr add dev eth0
> # private IP network of company2
> ip addr add dev eth1
> # don't know if that route is necessary, but it won't break anything
> ip route add dev eth1 table company2
> # routing to ISPs
> ip addr add dev eth2 # connection to ISP 1
> ip route add dev eth2
The above line is not needed

> ip route add via # default route for company1
> ip addr add dev eth2 # connection to ISP 2
> ip route add dev eth2
Not needed as well.

> # now I want to use routing table company2 for company2
> ip rule add from table company2 priority 20
This is not what you want. According to manual you should write
        ip rule add from nat table company2 prio 20
and then
        ip rule add from nat [table main] prio 30
> # and of course another default route for that company
To be accurate I would rather inserted here
        ip route add dev eth2 table company2

> ip route add via table company2
> # and now my problem starts:
> # the iproute2 docs say that route NAT in Kernel 2.2 is NOT a
> # replacement for IP masquerading, so I tried ipchains
Strange. NB on page 51 of "IP command reference" says:
"The exception is when the address is a local address of
this router ... and masquerading is configured in the
kernel. In this case router will masquerade packets as this
Or you mean that this feature is broken?


To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to

This archive was generated by hypermail 2b29 : Tue Mar 07 2000 - 21:00:27 EST