NAT on multihomed host

From: Martin Ferrari - Decidir IT (mferrari@decidir.net)
Date: Sun Jan 06 2002 - 19:16:19 EST


Folks,

I have an urgent problem...

I have a dualhomed host, two internet uplinks, with two internal networks,
and I need to access some hosts from both of the links.
Debian Woody, kernel 2.4.17, iproute2-ss001007, iptables v1.2.4

I did NAT from 64.x.x.131 to 192.168.x.x, and from 200.x.x.218 to
192.168.x.x. It works ok, except for something: I can't find out a way to
force the packets DE-nated to 200.x.x.218 to go out by the 200.x.x.x iface,
they all go out by the default iface, which is 64.x.x.x.

I tryed with iproute2, these are my rules & routes:

# ip ru l
0: from all lookup local
32764: from 64.x.x.128/26 lookup uunet
32765: from 200.x.x.192/27 lookup comsat
32766: from all lookup main
32767: from all lookup default

# ip ro l table uunet
default via 64.x.x.129 dev eth1

# ip ro l table comsat
default via 200.x.x.222 dev eth0

# ip ro l table main
200.x.x.192/27 dev eth0 proto kernel scope link src 200.x.x.219
64.x.x.128/26 dev eth1 proto kernel scope link src 64.x.x.131
192.168.x.0/24 dev eth2 proto kernel scope link src 192.168.x.200
default via 64.x.x.129 dev eth1

But it ignores my source routes. It seems like it chooses the output
interface before prerouting (?), before de-natting, where the source address
is
192.168.x.x, and in that moment I don't know how it will be de-natted

Can anyone help me????

As a side note, I also cannot setup loadbalancing combining ip route nexthop
with iptables MASQUERADE. I do:

# ip r d default
# ip r a default nexthop dev eth0 via 200.x.x.222 nexthop dev eth1 via
64.x.x.129

and then:

# ip r l
200.x.x.192/27 dev eth0 proto kernel scope link src 200.x.x.219
64.x.x.128/26 dev eth1 proto kernel scope link src 64.x.x.131
192.168.x.0/24 dev eth2 proto kernel scope link src 192.168.x.200
default
        nexthop via 200.x.x.222 dev eth0 weight 1 dead
        nexthop via 64.x.x.129 dev eth1 weight 1

The "dead" flag stays there, and never uses the 200.x.x.x route.. Do you
know why it could be?

-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html



This archive was generated by hypermail 2b29 : Mon Jan 07 2002 - 21:00:40 EST