Hi Paul, >> At one place I have a Debian wheezy machine that acts as router / firewall >> using iptables and default routing. >> I used to have just 1 ip number on the uplink interface. And a simple >> $IPTABLES --table nat -A POSTROUTING -o $WORLD_IF -j MASQUERADE line >> in my firewall script sends all traffic out with that single ip addres via >> NAT. >> >> Due to several reasons I now have to use more than 1 outbound ip address to >> make clear from which internal segment the traffic is coming from. >> So traffic coming from 172.16.20.0/24 needs to use $WORLD_IP1 And >> traffic coming from 172.16.22.0/24 needs to use $WORLD_IP2 And maybe >> traffic coming from 172.16.24.0/23 needs to use $WORLD_IP3 >> >> How do I configure something like that? > > Maybe by adding network aliases, and using SNAT in your firewall. > > See e.g. here: > http://stackoverflow.com/questions/18052116/iptables-postrouting-with-snat-for-a-paritcular-destination-ip
That article talks about a specific target whereas I want it for a specific source net. I found a really old iptables HOWTO at http://linux-ip.net/html/adv-multi-internet.html Where in section 7.39 it talks about what I want. The iptables part seems to be: +---------------------------------------------------------------------------+ | EXTIF="eth0" | | INTNET1="192.168.0.0/24" | | INTNET2="192.168.1.0/24" | | EXTIP1="123.123.123.11" | | EXTIP2="123.123.123.12" | | | | iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j SNAT --to $EXTIP1 | | iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j SNAT --to $EXTIP2 | | | +---------------------------------------------------------------------------+ But it also states: ----<quote>-------------- Anyways, for the example case shown above, you will need to persuade the routing system to direct packets from 192.168.0.x via 123.123.1233.11 and packets from 192.168.1.x via 123.123.123.12. That is the hardest part and adding Masq on top of correct routing is easy. To do this fancy routing, you will use IPROUTE2. Because this functionality has NOTHING to do with IPMASQ, this HOWTO does not cover this topic in great detail. Please see Section 2.7 for complete URLs and documentation for this topic. ----<end quote>-------------- So how do I route via one of my own ip numbers? I don't get that part, yet. I probably need to do something with the src option in a routing line. http://linux-ip.net/html/tools-ip-route.html This link gives one example Example D.19. Using src in a routing command with route add [root@masq-gw]# ip route add default via 205.254.211.254 src 205.254.211.198 table 7 but then does not really explain the table 7 part. However, it seems I need to do something with iptables to mark the packets for routing via table 7. I am still struggling with that part. I have not seen an example that shows all parts. It probably is out there but all the examples I have seen so far concentrate on one aspect, either the firewalling or the routing. If someone knows a comprehensive example then please point me to it. Preferably an example that no longer talks about kernels prior to 2.4.x but simply assumes "a modern system" with iptables 1.4.x, iproute2, etc. Bonno Bloksma
