How to elegantly handle two ISPs on a single box?

Marc Haber mh+netfilter at
Thu Apr 7 23:43:26 CEST 2005

Based on the feedback I received on this list, I chose to try the
fwmark based approach, which has shown to be surprisingly painless.

Instead of having normal SNAT rules per host in the POSTROUTING chain
of the nat table, I put fwmarks on the packets in the PREROUTING chain
of the mangle table.

Since I have a number of network routes to internal networks that are
not to be NATted, my rules look like

ip rule add pref 100 table main
ip rule add pref 200 fwmark 1 table isp_1
ip rule add pref 300 fwmark 2 table isp_2

Table main is missing the default route, which might be a pitfall if
your init mechanism goofs up. This scheme, however, allows you to keep
your normal init mechanism for the network routes which would need to
be duplicated in both ISP tables otherwise.

That way, there is no traffic leaving our network that doesn't have a
fwmark on it.

Finally, the only two NAT rules:

iptables --table nat --append POSTROUTING --match MARK --mark 1 
   --jump SNAT --out-int unt301 --to-source isp_1_ip
iptables --table nat --append POSTROUTING --match MARK --mark 2
   --jump SNAT --out-int unt302 --to-source-isp_2_ip

That way, the fwmark controls both routing and NAT.

Two pitfalls are there:
  - iptables expects the fwmark as a decimal number while ip rule
    wants to see hex
  - There is caching in place, so expecting a change to the rules to
    be effective immediately is bound for trouble.


Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the netfilter mailing list