Routing based on conntrack NEW interface
Wed, 10 Oct 2001 12:18:52 -0400
I have a multi-homed router/firewall running Redhat 7.1.
For interior services I am making available to the exterior
via DNAT forwarding, I would like to route reply packets
outbound to a gateway corresponding to the interface where
the connection originally came in from.
I was hoping I could do this via the marking facility, but
it seems to me from the docs that the mark is not stored
for the connection and applies only to the current packet.
The reason I need to do this is that my firewall has connections
to multiple exterior networks, each over a separate ethernet
interface. One of the connections is provided by an ISP and
is externally NATed by the ISP. For the NATed connection,
I have to make sure that I route my replies back through
the same ISP so that the NAT will be reversed on the way out.
I can't simply route by the source address, since the source can
be any public internet address and such addresses can come in
from other interfaces as well (which are not NATed).
The reason for this bit of insanity is that I have limited IP
addresses on my main connection, and I am using additional IP
addresses from a second ISP that can only provide NATed
private network addresses, not public addresses.
I have been solving the problem by attaching a separate gateway
computer to the NATing ISP, and using a proxy (redir-2.2) in
between. I would prefer not to do that, since it hides the
source addresses from the interior servers.
Is there a way to do this? It seems like policy-based routing
is exactly what I want, but I need to be able to apply a policy
based on the connection tracking.