How to elegantly handle two ISPs on a single box?

Marc Haber mh+netfilter at
Wed Apr 6 19:17:30 CEST 2005


given the following setting:

---------               ---------
| ISP A |               | ISP B |
---------               ---------
    |           |
    |                       |
    |                       |
    |  ----------        
    -------------------| My Box |
	       -------------------------- internal network

Both ISPs deliver full internet connectivity, but I have to NAT
towards the internet.

ISP B is new, so my only default route currently points towards, and I would like to be able to switch back and forth
between the two ISPs, pretty dynamically choosing which host on the
internal network should use which ISP.

My Box runs Debian woody, so we are limited to a 2.4 kernel and
iptables 1.2.6.

So I am pretty convinced that I need a combination of source policy
routing (which I know is not done by netfilter) and SNAT.

Ideally, I would have an outgoing packet NATted to the apropriate
public IP:
  iptables --table nat --append POSTROUTING --src
     --jump SNAT --to-source
  iptables --table nat --append POSTROUTING --src
     --jump SNAT --to-source
and then have source policy routing in place:
$ ip rule
0:      from all lookup local
10:	to lookup main
20: 	from lookup ispA
30:	from lookup ispB
32766:  from all lookup main
32767:  from all lookup default
$ ip route list table ispA
default via
$ ip route list table ispB
default via

But unfortunately, this doesn't work, as the table name POSTROUTING
suggests. So, it looks like it is necessary to first have appropriate
rules to select the appropriate routing table to route to the
appropriate interface, and then do the Source NAT to the appropriate
IP address, selecting on the Interface. This seems to be awfully
error-prone, since "ip rule" and netfilter have the reputation of not
working together very well.

The other idea I have would be putting an appropriate fwmark on the
packet in the FORWARD chain, and then doing both the routing decision
_and_ the SNAT based on the fwmark. But I am not too fond of that idea
as well.

Is there a more elegant way to do it? Did I miss any docs?

Any hints will be appreciated.


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the netfilter mailing list