|
hmm, nod, played around with this a bit, but it's not quite what i'm
looking for. the ip route will make _all_ traffic into y.y.y.1 go to
x.x.x.1, but i don't want all traffic translated--i only want traffic that
is from connections started by x.x.x.1 to be sent back to x.x.x.1. more
"masquerading" and less "nat", i suppose, if that terminology is correct
and makes sense. traffic that doesn't originate from x.x.x.1 should be
handled by y.y.y.1 -- the machine that responds to the arps for y.y.y.1.
it's not just a matter of specifying specific ports either, as i have no
way of knowing in advance what source or dest ports x.x.x.1 will use -- i
just want any random traffic that comes from there to be handled by masq.
there will probably eventually be more than 1 x.x.x.1 also. ipchains masq
works fine with this, but ip route nat will not, as far as i can tell.
i can't think of how this can be accomplished with iproute2. i can assign
an fwmark for packets from x.x.x.1 going out, but i can't do anything to
the packets coming in to y.y.y.1, as the fwmark won't be sent back,
correct?
-tcl.
On Mon, 13 Nov 2000, Clint Byrum wrote:
> This would be easier accomplished using iproute2.
>
> ip rule add from x.x.x.1 nat y.y.y.1
> ip route add nat y.y.y.1 via x.x.x.1
> ip rule add from x.x.x.2 nat y.y.y.2
> ip route add nat y.y.y.2 via x.x.x.2
>
> Where x.x.x.* are the internal IP's, and y.y.y.* are the externals.
>
> If you want to do it based on some more complex rules in your ipchains, you
> can use fwmarks, but that is a little more complex in the ip rule/route
> commands as well.
>
> > -----Original Message-----
> > From: tc lewis [mailto:tcl@xxxxxxxxx]
> > Sent: Monday, November 13, 2000 5:31 AM
> > To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> > Subject: ipchains -i [off topic].
> >
> >
> >
> > so utilizing ipchains' -i flag with a forward chain, i can specify which
> > device to send out from. like eth1 or eth2. is there any way i can make
> > that even more narrow, and specify an ip alias somehow? ie: eth0:0 or
> > eth0:1? that syntax doesn't seem to fly.
> >
> > what i'm looking to do is have 1 machine do masq for 2 machines behind it,
> > but have the source address on outgoing packets be different for each of
> > those 2 backend machines. apparently this is easy with 2 separate
> > physical interfaces, but the ips for outgoing connections are both ip
> > aliases, so i was wondering if that was possible. perhaps with more
> > policy routing, maybe via fwmark stamps? or is there an easier way?
> >
> > -tcl.
> >
> >
> >
>
>
|
