/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Jan Stifter wrote:
> On Fri, 3 Nov 2000 09:46:54 +0600 (NOVT), Stas Nikiforov
> <[EMAIL PROTECTED]> wrote:
>
> >Hi,
> >
> >> unfortunately, the return path does still not work.
> >> i would like, that the answer would look, like it came from
> >> a.b.c.d, and not the adress of eth0 (due to masquerading).
> >>
> >> my commands:
> >> gorgon:~ # ip route add nat a.b.c.d via 192.168.0.10 table local
> >> gorgon:~ # ip rule add from 192.168.0.10 nat a.b.c.d table local
> >
> >May be you should add priority value to the last ip rule
> >
> > ip rule add prio 320 from 192.168.0.10 nat a.b.c.d table local
> >I saw it in iproute2 manual (ip-cref.ps page 49-51)
>
> this had no effect, still the same behaviour.
>
> can anybode help me?
>
> jan
unfortunately, i only know how to do this when you put
the real ip address (of the server) onto the external
interface as an "alias". if you do that, you can use
fwmarking and iproute2 to make the outgoing reply
address have the right source address of its way out.
the policy routing code combines with the masquerading
code to do what you want. it's covered on page 50 of the
ip command reference but it only works when the desired
address is on the external interface. it's also been
employed in the script at http://fwup.org/. below is an
extract from there.
in short (if the address(es) in question are aliased onto
the external interface), port forward the incoming packets:
# Port forward incoming connections to internal hosts
ipmasqadm portfw -f
ipmasqadm portfw -a -P $proto -L $dstaddr $dstport -R $toaddr $toport -p $pref
# Create a fwmark chain for marking packets that need their
# source address rewritten
ipchains -N fwmark
ipchains -I input -j fwmark
# Don't mark traffic amongst multiple internal networks
for src in $INTERNAL_NETWORKS
do
for dst in $INTERNAL_NETWORKS
do
if [ "$src" != "$dst" ]
then
ipchains -A fwmark -s $src -d $dst -j RETURN
fi
done
done
# Mark traffic from internal networks to the outside world
ipchains -A fwmark -p $proto -s $toaddr $toport -m $fwmark
# Rewrite the source address (to an address on the external interface)
ip rule add from $toaddr fwmark $fwmark nat $dstaddr priority 10010
raf
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
