Re: iptables problem with multible routes
mlist-debianfirewall@x-tec.de écrivait :
> Jean Christophe ANDRÃ0/00 wrote:
> NOP that would break the NATing of the internal traffic that should go
> out to eth1:
>
> iptables -t mangle -I PREROUTING 4 -p tcp -i eth0 --dport 22 \
> -j MARK --set-mark 0x01
>
> To clear things up a bit
>
> most traffic from 192.168.x.x gets NATed and goes out to ppp0
> some traffic from 192.168.x.x gets Nated and goes out to eth1
So, as was saying Markus Oswald, try to do more precise NAT:
iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/16 -j SNAT \
--to-source $ppp0_ip
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/16 -j SNAT \
--to-source $eth1_ip
> FW local traffic like SMTP, DOMAIN, SSH, IPv6 (6 in 4) tunnle doesn't
> needs NAT and should go to eth1.
> When I use the -t mangle OUTPUT to mark the packets so that the use the
> default route on eth1 they go out on eth1 put with the source IP of ppp0
You may also try some not-SNATing rules to make SNAT exceptions if needed:
iptables -t nat -A POSTROUTING -o eth1 -s $not_SNATted_IP -j ACCEPT
Put it before the others POSTROUTING rules.
Regards, J.C.
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: