Please forgive my ignorance, I have, indeed read the docs & am still confused because: 1. I'm a newbie, and 2. determining which docs apply & which don't is difficult (maybe I've read too much old stuff??).
How would one route two external IP's (eth0 & eth2) to individual internal LAN boxes (A & B) via gateway box (C) so that all (eth2) traffic goes to & from (A) exclusively, and (eth0) traffic goes to (B & C) exclusively? Assuming (C) is an IP-masqueraded gateway running RH 7.2, kernel 2.4.16 using netfilter & iptables instead of the 'old stuff'. (C) has 3 NIC's (two external, one LAN). Note too that both (eth0) & (eth2) use DHCP. Here's a picture... ISP's...........................(C).......switch to internal LAN ISP1------------------------- (eth0) ..............................(eth1)----X <---switch to (A) & (B) ISP2------------------------- (eth2) I've noticed that the routing table is automatically updated when (eth2) is added using 'ifup' so that it looks like this.... Kernel IP routing table with both eth0 & eth2 enabled Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 222.444.666.0 0.0.0.0 255.255.252.0 U 0 0 0 eth2 111.222.333.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 222.444.666.1 0.0.0.0 UG 0 0 0 eth2 0.0.0.0 111.222.333.1 0.0.0.0 UG 0 0 0 eth0 Configured like this all traffic seems to be routed out (eth2)... This makes sense to me since (eth2) is the first default gateway to appear at the end of the list. Here are the iptable definitions that make this 'work'. # # Masquerade out eth0 & eth2 /sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # # No LAN spoofing from the Great Beyond /sbin/iptables -A INPUT -i eth0 --source 192.168.0.0/16 -j DROP /sbin/iptables -A FORWARD -i eth0 --source 192.168.0.0/16 -j DROP /sbin/iptables -A INPUT -i eth2 --source 192.168.128.0/16 -j DROP /sbin/iptables -A FORWARD -i eth2 --source 192.168.0.0/16 -j DROP # When defining iptable rules like these below, I expected to route (A) through eth2 & (B) & (C) through eth2 using the POSTROUTING SNAT & IP Masquerading. It seems, however, that the NAT table doesn't affect the routing, just mangles the packet. :-( (I came to this conclusion when pinging via 0.1 & 0.10 worked, but 0.11 did not). # #DNAT -- mangle dest adr prior to routing sbin/iptables -t nat -A PREROUTING -i eth2 -j DNAT -to 192.168.0.10 # # Masquerade out eth0 & eth2, & route eth2 to tesla /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.1 -o eth0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.11 -o eth0 -j MASQUERADE /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.10 -o eth2 -j MASQUERADE Perhaps I need to get IPROUTE2?... I thought that wouldn't be needed since netfilter supported 1:1 NAT, which seems to be close to what I'm looking for. Any help would be appreciated.
