Hi,
There are two users (user1,user2) on my system, and too interfaces (eth0,wlan0). I want to forward traffic generated by user1 to eth0 and user2 to wlan0.
wlan0 is 10.50.50.14/24 with gateway at 10.50.50.1 and eth0 192.168.1.11/24 with gateway at 192.168.1.1.
So I need user1 to use gateway 192.168.1.1 and user2 10.50.50.1.
First thing I've done is marking outgoing packets from user2 with iptables MARK target like this:
Code:
# iptables -t mangle -A OUTPUT -m owner --uid-owner user2 -j MARK --set-mark 1
Then I've created route policy like this:
Code:
# ip rule add fwmark 1 lookup gwroute
This is how gwroute table looks like:
Code:
10.5.50.0/24 dev wlan0 scope link src 10.5.50.14
default via 10.5.50.1 dev wlan0
and this how main route table looks like:
Code:
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.11 metric 202
10.5.50.0/24 dev wlan0 proto kernel scope link src 10.5.50.14 metric 303
127.0.0.0/8 dev lo scope link
default via 192.168.1.1 dev eth0 metric 202
Now when I send something from user2, gateway 10.50.50.1 is used, but IP source address field is set to 192.168.1.11. I figured out I have to change source address of outgoing packets so I've created SNAT (or masquerade would be more flexible probably).
Code:
iptables -t nat -A POSTROUTING -o wlan0 -j SNAT --to 10.50.50.14
Now everything works. My question is: Why do I need to rewrite source address? There is a "src entry" in main and gwroute table about setting source address to 10.5.50.14 when 10.5.50.0/24 is destination.
Thanks!