You need to somehow identify the return packets so that the routing engine can distinguish among the connections and send out the packets throught the right default gateway.
Use your imagination to come up with a distinguishable pattern. Eg: ==== Incoming packets on the external interface ===== Connection A comes in from 62.2.159.15 Mark the packet "111" DNAT to 193.72.186.6 Connection B comes in from 193.72.186.6 Mark the packet "222" DNAT to 193.72.186.6 ==== Incoming packets on the internal interface ===== SNAT to one non-existing IP 10.10.10.10 if marked "111" SNAT to one non-existing IP 10.20.20.20 if marked "222" Then when the replies come back from 193.72.186.6: ==== Outgoing packets on the internal interface ===== Mark the packet "111" if dst 10.10.10.10 Mark the packet "222" if dst 10.20.20.20 ==== The routing part ==== use two tables with iproute2 with default routes through the appropriate interfaces. Route the packets based on the marks. This approach works if mangle is before nat which is the case according to Oskar's diagram. For more specifics on this conceptual approach see the docs on ip/iptables commands. Ramin On Thu, May 23, 2002 at 04:16:27PM +0100, Antony Stone wrote: > On Thursday 23 May 2002 3:53 pm, Marc SCHAEFER wrote: > > > the machine on the internal_net only has one IP address (in this case > > 193.72.186.6, could be e.g. 192.168.x.x), but must be reachable from the > > outside as: 62.2.159.14 and 194.38.85.209. > > > > The firewall has addresses 62.2.159.15, 194.38.85.206 and 193.72.186.15 > > (again, this one could have been 192.168.x.x). > > > > The machine on the internal_net cannot do any special tricks. She must > > receive all packets to 193.72.186.6 (the from can be an external address). > > Now, the firewall must remember what was the incoming address (62.2.159.14 > > or 194.38.85.209) and re-NAT it accordingly when it goes out, and send it > > on the correct outgoing interface. > > This sounds to be simple for iptables, but impossible for a standard routing > table on the firewall... > > If you simply use two DNAT rules in your PREROUTING chain: > > iptables -A PREROUTING -t nat -d 62.2.159.14 --to 193.72.186.6 > iptables -A PREROUTING -t nat -d 194.38.85.209 --to 193.72.186.6 > > Then iptables will automatically look after the reverse translation of the > replying packets from the internal machine to the external client. > > However, I think you'll need to do something very clever with the routing > tables (probably possible, but beyond my capabilities) in order to make sure > that the reply goes back out through the same interface as it came in on > (although I must admit I can't think of a specific reason why this should be > absolutely necessary) - on a machine with a standard routing table, the reply > will simply go back via the 'default gateway' which of course is only on one > of your Internet links.... > > Maybe someone with more experiance of iproute2 than me can jump in here ? > > > > Antony.
