Re: Linux 2.2, iproute2, policy routing AND masquerading...

From: Alexander List (
Date: Thu Mar 02 2000 - 16:14:09 EST

On Thu, 2 Mar 2000 wrote:

> > We have two companies sharing LAN infrastructure and ONE firewall, but we have
> > two different ISPs. Traffic from company1 should go out via ISP1, traffic from
> > company2 should go out via ISP2. Of course, we have only one IP address per
> > ISP because we are two very small companies, and of course no chance to get a
> > routing protocol like RIP or so.

> > # now I want to use routing table company2 for company2
> > ip rule add from table company2 priority 20
> >
> This is not what you want. According to manual you should write
> ip rule add from nat table company2 prio 20
> and then
> ip rule add from nat [table main] prio 30

> > # and now my problem starts:
> > # the iproute2 docs say that route NAT in Kernel 2.2 is NOT a
> > # replacement for IP masquerading, so I tried ipchains

> Strange. NB on page 51 of "IP command reference" says:
> "The exception is when the address is a local address of
> this router ... and masquerading is configured in the
> kernel. In this case router will masquerade packets as this
> address."
> Or you mean that this feature is broken?

I just tried your suggestions. See example below.

I tried it both with nat 0 and nat <localip>. Nat 0 works fine and does
masquerading. Nat <localip> just seems to do mapping, no masquerading is
done. I think that either the feature is broken or the manual is in error.

Script started on Thu Mar 2 21:08:28 2000

kerberos:~# ip rule ls
0: from all lookup local
32764: from lookup 70 map-to <provider2-ip>
32765: from lookup main masquerade
32766: from all lookup main
32767: from all lookup default

kerberos:~# ip route ls table 70
throw # or even dev eth1
throw <provider2-net>/24 # analog to above
default via <provider2-gw> dev eth1

kerberos:~# ip route ls
<provider1-net> dev ppp0 proto kernel scope link src <provider1-ip> dev eth1 proto kernel scope link src dev eth1 proto kernel scope link src
<provider2-net>/24 dev eth1 proto kernel scope link src <provider2-ip> dev eth0 proto kernel scope link src
default via <provider1-gw> dev ppp0
kerberos:~# exit

Script done on Thu Mar 2 21:08:43 2000



To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to

This archive was generated by hypermail 2b29 : Tue Mar 07 2000 - 21:00:27 EST