>> fooler said: >> >ok at your gw1 box, add static route 203.177.3.0/netmask with gateway 192.168.57.2 and attach it to device eth0... >> i already did that.but when i turn-on nat, packets destined to >> 203.177.3.0/netmask(via static routing) gets masqueraded/snat to ExtIP of >> gw1. it's forwarding the packets towards the external interface of gw1. i've changed the iptables rules so that packets destined to > 203.177.3.0/netmask doesn't get masqueraded/snat to no effect. would you like me to show the iptables and static routing rules? >yes please do.. show to us the iptables rules and routing table both for your gw1 and gw2 boxes... thanks..
iptables on gw1: $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat $IPTABLES -F -t mangle if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then $IPTABLES -F drop-and-log-it fi # # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z echo " Creating a DROP chain.." $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j REJECT echo -e "\n - Loading INPUT rulesets" $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it #output rules $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it ###my rules ##mark packets destined to mail server $IPTABLES -A PREROUTING -i eth0 -t mangle -p tcp -d 203.177.3.1/32 -j MARK --set-mark 2 $IPTABLES -A PREROUTING -i eth0 -t mangle -p tcp -d 203.177.3.2/32 -j MARK --set-mark 2 ##squid redirect $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 ##routing table rules echo 202 logonet >> /etc/iproute2/rt_tables ip rule add fwmark 2 table logonet ip route add default via 192.168.57.2 dev eth0 table logonet echo " - FWD: Allow all connections OUT and only existing/related IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j drop-and-log-it echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.57.0/24 -d ! 203.177.3.2 -j SNAT --to 203.177.4.1 ##flush route cache ip route flush cache main routing table on gw1: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 203.131.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.57.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 203.131.4.1 0.0.0.0 UG 0 0 0 eth1 logonet routing table on gw1(ip route list table logonet): default via 192.168.57.2 dev eth0 i use a linux 2.2 kernel on gw2: #load modules before masq ipchains -A FORWARD -i eth1 -s 192.168.57.0/24 -j MASQ main routing table on gw2: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 203.131.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.57.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 203.131.3.1 0.0.0.0 UG 0 0 0 eth1 -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
