Say you have the following setup: You have multiple internal networks and also multiple external IP addresses and/or networks. What you want to do is have LAN #1 to only use External IP #1 but you wan LAN #2 to use External IP #2.
Internal LAN ----------> official IP
LAN #1 External IP #1 192.168.0.x --> 126.96.36.199
LAN #2 External IP #2 192.168.1.x --> 188.8.131.52
Basically, what we have described here is routing NOT only on the destination address (typical IP routing) but also routing based upon the SOURCE address as well. This is typically called "policy-based routing" or "source routing". This functionality is NOT available in 2.0.x kernels, it *IS* available for 2.2.x kernels via the IPROUTE2 package, and it is built into the new 2.4.x kernels using IPTABLES.
First, you have to understand that both IPFWADM and IPCHAINS get involved *AFTER* the routing system has decided where to send a given packet. This statement really ought to be stamped in big red letters on all IPFWADM/IPCHAINS/IPMASQ documentation. The reason for this is that users MUST first have their routing setup correct, then start adding IPFWADM/IPCHAINS and/or Masq features.
Anyways, for the example case shown above, you will need to persuade the routing system to direct packets from 192.168.0.x via 123.123.1233.11 and packets from 192.168.1.x via 184.108.40.206. That is the hardest part and adding Masq on top of correct routing is easy.
To do this fancy routing, you will use IPROUTE2. Because this functionality has NOTHING to do with IPMASQ, this HOWTO does not cover this topic in great detail. Please see Section 2.7 for complete URLs and documentation for this topic.
The "iprule" and "iproute" commands are the same as "ip rule" and "ip route" commands (I prefer the former since it is easier to search for.) All the commands below are completely untested, if they do not work, please let David Ranch know about it but please contact the IPROUTE2 email list for help. This function has NOTHING to do with IP Masquerading.
The following would be integrated into the END of your rc.firewall-iptables ruleset
EXTIF="eth0" INTNET1="192.168.0.0/24" INTNET2="192.168.1.0/24" EXTIP1="220.127.116.11" EXTIP2="18.104.22.168" iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j SNAT --to $EXTIP1 iptables -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j SNAT --to $EXTIP2
The first few commands only need to be done once at boot, say in /etc/rc.d/rc.local file.
# Allow internal LANs to route to each other, no masq. /sbin/iprule add from 192.168.0.0/16 to 192.168.0.0/16 table main pref 100 # All other traffic from 192.168.1.x is external, handle by table 101 /sbin/iprule add from 192.168.1.0/24 to 0/0 table 101 pref 102 # All other traffic from 192.168.2.x is external, handle by table 102 /sbin/iprule add from 192.168.2.0/24 to 0/0 table 102 pref 102 These commands need to be issued when eth0 is configured, perhaps in /etc/sysconfig/network-scripts/ifup-post (for Redhat systems). Be sure to do them by hand first to make sure they work. # Table 101 forces all assigned packets out via 22.214.171.124 /sbin/iproute add table 101 via 126.96.36.199 # Table 102 forces all assigned packets out via 188.8.131.52 /sbin/iproute add table 102 via 184.108.40.206 At this stage, you should find that packets from 192.168.1.x to the outside world are being routed via 220.127.116.11, packets from 192.168.2.x are routed via 18.104.22.168. It is IMPORTANT that these IPROUTE2 rules be run /BEFORE/ the rc.firewall ruleset is run. If everything hangs together, the masq code will see packets being routed out on 22.214.171.124 and 126.96.36.199 and will use those addresses as the masq source address.
|( SMTP Relay ) - Internal MASQed computers cannot send SMTP or POP-3 mail!||Up||( IPCHAINS rulesets on 2.4.x kernels ) - What the ipchains.o module can do on 2.4.x kernels|
Hosting by: Hurra Communications Ltd.
Generated: 2007-01-26 17:58:18