Re: [Masq] Source addresses from PORTFW machines (fast nat)

[raf]

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


Taylor, Doug wrote:

> I am using ipchains to do masquerading on the forward chain and ipmasqadm to
> define some ports for address translation. My rules include:
> ipchains -A forward -s a.b.0.0/16 -j MASQ
> ipmasqadm portfw -a -P tcp -L 208.38.0.4 80 -R a.b.c.d 80
> ipmasqadm portfw -a -P udp -L 208.38.0.4 10010 -R a.b.c.d 10010
> 
> This is all working fairly well, but when the internal machine (a.b.c.d)
> receives the UDP packet and creates a response, the packet that arrives at
> the recipient has the address of the firewall's internet interface instead
> of 208.38.0.4. Is there a way to tell the firewall that outgoing packets
> from a.b.c.d should have their source address masqed to 208.38.0.4 instead
> of the firewall's address (208.38.0.6)?

yes, but not without a great deal of wailing and gnashing of teeth :)
just kidding :)

this happens because your default route (or your route out) is via
208.38.0.6. ipchains and ipmasqadm can do nothing about this because
their actions take place after any routing decisions have been made.

the solution is to download and install the iproute2 package (linux
policy routing administration tool) and reconfigure your kernel to
support policy routing.

read the ip command reference (in the doc directory of the iproute2
package) to see what can be done. with it, you'll be able to specify
a particular source address for particular packets.

you could also try http://www.zip.com.au/~raf2/lib/software/firewall/
which can do this for you (providing that 208.38.0.4 and 208.38.0.6
are just different addresses on the same network interface, not sure
about different interfaces). you'll still need to download iproute2
and reconfigure the kernel, of course.

raf

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.