[CentOS] OT : iptables/arptables question

Tue Jan 27 19:14:41 UTC 2009
Fabian Arrotin <fabian.arrotin at arrfab.net>

Filipe Brandenburger wrote:
> Hi Fabian:
> 
> On Tue, Jan 27, 2009 at 08:16, Fabian Arrotin <fabian.arrotin at arrfab.net> wrote:
>> Question is : how can i "mangle" output packets to appear coming from
>> public ip and not from 192.168.X.X ?
> 
> Found this that might help you (google for: linux default outgoing ip):
> 
> """
>> On a machine with multiple interfaces, is it possible to set the default
>> outgoing IP address to something other than the address for the interface
>> on the outgoing route?
> 
> Yes.
> 
> ip route add 10.1.1.0/24 via 192.168.1.1 src 172.16.1.1
>                                                           ^^^
> The src parameter tells the routing code to use this address when sending
> packets. The address only needs to be on the system. IE:
> 
> ip addr add 172.16.1.1/32 dev dummy0
> 
> And send the packets out of eth0.
> """
> From: http://lkml.indiana.edu/hypermail/linux/kernel/0112.1/0359.html
> 
> Just make sure you keep a separate route for your ISP's side of the
> private network (maybe the one created when your interface goes up
> will do), otherwise your routing protocol might fail.
> 
> HTH,
> Filipe

Hi Filipe,

thanks for the link, i completely missed that point from the 'ip route' 
command.
On the other hand, 10 minutes after i had sent my mail (and 3 coffee 
later to be precise) i saw also a picture from wikipedia 
(http://upload.wikimedia.org/wikipedia/fr/thumb/3/3e/Netfilter_schema.png/400px-Netfilter_schema.png) 
explaining how packets went through the different ip tables and it was 
directly clear : even packets leaving the local box (and being processed 
in the OUTPUT filter) are still processed in the nat table (postrouting 
filter) so a simple SNAT rule did the job perfectly too ;-) In fact it's 
the first time that i have to modify packets leaving a linux gateway and 
i thought that only packets being forwarded (and so traversing the 
FORWARD filter) could also being modified in the nat table ...
I've also had a look in the sysconfig.txt file to see how your solution 
could be applied but it's still not very clear how that can be done. But 
using GATEWAYDEV=eth3 (eth3 having my public-ip/32 while eth3:1 having 
my 192.168.X.X/24 ip) in the /etc/sysconfig/network and declaring a 
GATEWAY=192.168.X.X (isp router ip) in the ifcfg-eth3:1 does also the 
job. But a `route -n` is strange though : " 0.0.0.0         0.0.0.0 
     0.0.0.0         U     0      0        0 eth3" like for the old ppp 
stuff

So multiple ways to solve the initial question ...
--
Fabian Arrotin
  idea=`grep -i clue /dev/brain` ; test -z "$idea" && echo "sorry, init 
6 in progress" || sh ./answer.sh

-- 
--
Fabian Arrotin
  idea=`grep -i clue /dev/brain` ; test -z "$idea" && echo "sorry, init 
6 in progress" || sh ./answer.sh