How to make a mutli-homed host use one IP for a NAT'ed host
gtaylor at riverviewtech.net
Thu Apr 21 16:53:29 CEST 2005
> Hi all,
> Hum... not quite working for me yet, nearlt there but I get the error:
> "MARK: can only be called from "mangle" table, not "nat""
> So I used:
> iptables -A PREROUTING -i eth0 -t mangle -s $DMZ_HOST_IP -p tcp
> --dport 25 -j MARK --set-mark 2
Sorry, my mistake. It was late at night after a long day. :(
> Q: Is eth0 correct as this is the red/ INET IFACE and not the DMZ dev
> IFACE (that would be eth1)
No. I think you should use eth1 in your IPTables rule as you are looking to mark the traffic that is coming back to the router / firewall from the DMZ/SMTP server that is outbound to the world. Basically you want to mark the SMTP server's returning traffic as a control handle that you can look for with an IPRoute2 rule so that the routing core can decide what routing table to use to send the traffic back out to the world.
> And then:
> ip route add table $IPROUTE2_SMTP_TABLE dev $INET_IFACE src $MAIL_INET_ALIAS
> ip route add table $IPROUTE2_SMTP_TABLE default via $INET_IP
> ip rule add fwmark $SMTP_MARK table $IPROUTE2_SMTP_TABLE
> Where $SMTP_MARK=2 and IPROUTE2_SMTP_TABLE=smtp.out
> I have "echo 25 smtp.out >> /etc/iproute2/rt_tables"
> Packets still come from the "wrong" ip address
> Any suggestions.
Try changing your eth0 to eth1 in your IPTables mark rule. Other than that (and my snafu about the wrong table) I think your set up should work just fine. I feel like you are very close to having what you want set up and working. :)
Grant. . . .
More information about the netfilter