SNAT and TWO gateways (almost done)

posto · 08-22-2004, 02:59 PM

Hello. I'm trying to make my linux server route packets through a secondary gateway if those packets are marked.

My setup looks like this:
Windows clients connected to Linux server. IP=10.0.0.x/24, Gateway=10.0.0.1

Linux box:
Two nics, eth0 is 10.0.0.1 (internal LAN), eth1 has two IP's for the two different gateways. IP1=192.168.5.2, IP2=192.168.6.84
I have two gateways:
#1 ("default") : 192.168.5.1
#2 : 192.168.6.1

Traceroute on linux box shows that it works as expected, chooses the correct gateway. Marked packets go through gateway #2, all others go to gateway #1.

Now, i'm also doing SNAT, so i've added two rules to iptables:

Code:

root@pluto:/etc/iproute2# iptables -t nat -L
<skip>
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  anywhere             anywhere            MARK match 0x1 to:192.168.6.84
SNAT       all  --  anywhere             anywhere            to:192.168.5.2

Testing if this works from a win2k client with this config:
ip=10.0.0.7, gw=10.0.0.1 (eth0 on linux box)

Code:

C:\Documents and Settings\Administrator>tracert -d google.com
  1   <10 ms   <10 ms   <10 ms  10.0.0.1 - linux box
  2   <10 ms   <10 ms   <10 ms  192.168.5.1 - uses default gw (ok)

C:\Documents and Settings\Administrator>tracert -d xxx.xx
  1   <10 ms   <10 ms   <10 ms  10.0.0.1
  2   <10 ms   <10 ms   <10 ms  192.168.6.1 - uses gw#2 (ok)

Now the strange part:

Code:

C:\>ping google.com
Pinging google.com [216.239.57.99] with 32 bytes of data:
Reply from 216.239.57.99: bytes=32 time=511ms TTL=240

C:\>ping xxx.xx
Pinging xxx.xx [x.x.x.x] with 32 bytes of data:
Request timed out.

Trace works, but i cant ping the hosts that are marked and use gateway #2. I can't figure it out. I've been trying to fix this for a week already. I'm out of ideas.
Can somebody please help me with this.

Sutekh · 08-30-2004, 02:26 AM

ok dumb questions 1st.

is the host you are trying to ping, ping-able? When you did the tracert did it hit anything after your gateway? did it make it all the way to it's destination?

Do other protocols work apart from ICMP? have you tried to get a tcp socket?

it seems like it is on the right track so can't be too big a deal to sort out.

posto · 08-30-2004, 05:59 PM

yes, that host is ping-able because i can ping it from my linux box... but I cant from the win2k box.

basically my "problem" is that I want to use two gateways, but I have two nics only, one for internal lan and other for external. So i've set up two IPs for it, but i cant find an example on the net on how to set up this. Everybody talks about eth0, eth1 and eth2. But i dont have the third network card in my set-up. So I'm kinda stuck.