[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: multiple outbound NAT

Hi Paul,

>> At one place I have a Debian wheezy machine that acts as router / firewall using iptables and default routing.
>> I used to have just 1 ip number on the uplink interface. And a simple 
>>   $IPTABLES --table nat -A POSTROUTING -o $WORLD_IF -j MASQUERADE line 
>> in my firewall script sends all traffic out with that single ip addres via NAT.
>> 
>> Due to several reasons I now have to use more than 1 outbound ip address to make clear from which internal segment the traffic is coming from.
>> So traffic coming from 172.16.20.0/24 needs to use $WORLD_IP1 And 
>> traffic coming from 172.16.22.0/24 needs to use $WORLD_IP2 And maybe 
>> traffic coming from 172.16.24.0/23 needs to use $WORLD_IP3
>> 
>> How do I configure something like that?
>
> Maybe by adding network aliases, and using SNAT in your firewall.
> 
> See e.g. here:
> http://stackoverflow.com/questions/18052116/iptables-postrouting-with-snat-for-a-paritcular-destination-ip

That article talks about a specific target whereas I want it for a specific source net. 

I found a really old iptables HOWTO at http://linux-ip.net/html/adv-multi-internet.html
Where in section 7.39 it talks about what I want.

The iptables part seems to be:
+---------------------------------------------------------------------------+
| EXTIF="eth0"                                                              |
| INTNET1="192.168.0.0/24"                                                  |
| INTNET2="192.168.1.0/24"                                                  |
| EXTIP1="123.123.123.11"                                                   |
| EXTIP2="123.123.123.12"                                                   |
|                                                                           |
| iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j SNAT --to $EXTIP1 |
| iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j SNAT --to $EXTIP2 |
|                                                                           |
+---------------------------------------------------------------------------+

But it also states:
----<quote>--------------
Anyways, for the example case shown above, you will need to persuade the
routing system to direct packets from 192.168.0.x via 123.123.1233.11 and
packets from 192.168.1.x via 123.123.123.12. That is the hardest part and
adding Masq on top of correct routing is easy.

To do this fancy routing, you will use IPROUTE2. Because this functionality
has NOTHING to do with IPMASQ, this HOWTO does not cover this topic in great
detail. Please see Section 2.7 for complete URLs and documentation for this
topic.
----<end quote>--------------

So how do I route via one of my own ip numbers? I don't get that part, yet. I probably need to do something with the src option in a routing line.
http://linux-ip.net/html/tools-ip-route.html
This link gives one example
  Example D.19. Using src in a routing command with route add
  [root@masq-gw]# ip route add default via 205.254.211.254 src 205.254.211.198 table 7
but then does not really explain the table 7 part. However, it seems I need to do something with iptables to mark the packets for routing via table 7. I am still struggling with that part. I have not seen an example that shows all parts. It probably is out there but all the examples I have seen so far concentrate on one aspect, either the firewalling or the routing.

If someone knows a comprehensive example then please point me to it. Preferably an example that no longer talks about kernels prior to 2.4.x but simply assumes "a modern system" with iptables 1.4.x, iproute2, etc.

Bonno Bloksma
Reply to: