This is a discussion on IP Tables, SNAT, and routing: selecting the outgoing interface - Networking ; I'm working on an IP Tables firewall ruleset here. I won't bore you with most of the details, but a few things are germaine to my question: * The system this ruleset is to run on (hereinafter "this firewall") is ...
I'm working on an IP Tables firewall ruleset here. I won't bore you
with most of the details, but a few things are germaine to my
* The system this ruleset is to run on (hereinafter "this firewall")
is running a special-purpose distro that is based on Slackware 8.1.
Choosing a different distro is not an option for this firewall, for
reasons that aren't worth going into.
* On the "outside" (facing the internet) this firewall will have two
public IP addresses. These can either be assigned to two physical
ethernet cards (which is the direction I'm leaning) or to just one
using IP aliasing (if that simplifies the solution). Either way,
both will be on the same network segment as a Cisco 2600 series
router that connects to the rest of the world. For our purposes
here we'll call the two public addresses "Address A" and
* On the "inside" (facing the LAN) this firewall will have another
physical ethernet card connected to a physically separate network
segment. This interface will be assigned an address in the 10.x.x.x
range. Systems on the LAN will use this address for their gateway.
* On the LAN there are two basic categories of systems: trusted
systems, which we control, and untrusted systems, which we don't.
(We're going to provide free 802.11something access in the near
future, so we definitely will not have control over the systems on
that segment.) The trusted and untrusted systems can be
distinguished by their IP addresses. The trusted systems will be
protected from the untrusted ones by another firewall (the details
of which need not concern us here), but both will sit behind this
* The filter table on this firewall contains various rules to allow
what we need to allow, and each chain there ends with a
log-and-reject rule that matches anything else.
* This firewall will also be running a transparent web proxy. Rules
in the nat table's PREROUTING chain will redirect outgoing port-80
traffic to Squid (port 3128).
The problem is that we'd really like to send traffic from trusted
systems out SNATted to use Address A for its public IP address, but
we want to send traffic from untrusted systems out SNATted to use
Address B. (Ideally, I'd also like to ensure that Squid makes its
outgoing web-page requests using Address B, although that is less
Is this something I can do with IP Tables, perhaps with the mangle
filter? Which chain would I use? I don't really want to mangle
until after the filter table is done, preferably, so that my filter
see the original source information and stuff...
Simply assigning the address with SNAT in the nat table's POSTROUTING
chain, without actually directing the packet to go out the appropriate
interface, seems too simple. Even though both of the interfaces in
question are on the same segment, wouldn't that cause problems? (But
what if there's just one physical interface, and the other is an
alias, like eth0:1? Wouldn't it work more or less correctly then?
Still, that doesn't seem like the ideal way to do things...)
Supposing I use -j ROUTE -oif ethx in the POSTROUTING chain of the
mangle table: will the adjustment reliably be made *before* the
POSTROUTING chain of the nat table sees it, so that rules there can
look at the -o interface and determine what address to use for SNAT?
(I don't see, in the iptables man page, where the order in which the
tables are applied is defined. Perhaps I overlooked it? A quick
search on the word "order" does not turn up anything of immediately