Route IP masqueraded packets according to their source IP?

Route IP masqueraded packets according to their source IP?

Post by e.. » Fri, 03 May 2002 16:39:15

Hi all,

I am new to Linux IP Masquerading, and want to know if it
can do the following...

Suppose that I have two ADSL connections, connected to two
different ISPs.  Both ISP would only accept packets with
source IP address associated with their respective ADSL,
and other packets would be dropped.  I would not use the
two ADSL to host any kind of servers, and I only use them
for outbound connections.

What I want to do is to fully utilize the two ADSLs.  I
plan to alternate my default route between the two ADSL
every 10 seconds, and masquerade the connection request
packets as the current outbound IP.  Maybe I should use
and example:

My Linux box              -----------------   ISP1
             -----------+                -----------------   ISP2

So ISP1 would only accept packets from, and ISP2
would only accept packets from  My Linux box have
an NIC with two IP: and  When there's
an outbound connection request from my intranet, it will be
masqueraded according to the current default route.  If default
route points to ISP1, it will be masqueraded as,
otherwise, it will be masqueraded as

So far, IPTables seems to be able to do that.  But to cope
with the filtering, I hope to route the subsequent packets
according to the connect request's masqueraded IP.  So if
the connect request is masqueraded as, all the
subsequent packets of that sesssion would be masqueraded as, too, and being routed to ISP1.  At the same
time, the default route of my Linux box would alternate
between the two ADSL every 10 seconds.

As I read the the NAT Howto, the SNAT is performed in the
POSTROUTING stage, so the packets might be masqueraded
correctly, but going out to the wrong ISP.  Is there any
way to do source-based routing after SNAT?

Thanks in advance.

Chih-Cherng Chin


1. IP packet rewriting (IP masquerading??)


We currently have a private ethernet at work (on a set of 192.168.x.x
addresses) and the desire to connect to an off-site private ethernet
network, which just happens to be on the same class-C 192.168.x.x
address range.

Therefore our internal router is set to route stuff internally to the
ethernet at work, and obviously can't be configured to also route to the
off-site subnet.

I was wondering if Linux can help here - if I put a linux machine
'between' the main company network (on a set of valid IP addresses) and
the machine that does the dial-up to the off-site ethernet, can I
configure our router to route packets on a dummy 192.168.x.x set of
addresses and get Linux to rewrite the 'dummy' packets on the fly so
that when they get sent along to the machine doing the dial-up they are
rewritten with the same set of 192.168.x.x addresses used on the
off-site subnet (this obviously working both ways) ??

Hope that makes sense. I thought this was what IP masquerading does, but
that seems to map many (dummy) IP addresses to a single (real) address,
whereas I need a many-to-many mapping.

I'm not sure if matters are complicated by the fact that the machine
doing the dial-up to the off-site network isn't the Linux box itself, so
there's a further ethernet network between the linux and sial-up box
(with just the two machines on it); linux doesn't have ISDN support for
the ISDN modem we're using for the dial-up, so that has to be on a
seperate NT machine...

Please reply via email as well as to the group - I don't much time to
pick up news here!



Sent via
Before you buy.

2. No. of processes limit

3. Shut Up and Route the Packet (also IP Masquerading)

4. Can't open COM1 unless root - how to fix?

5. proxy route gateway ip masquerading ip chains ?

6. mail or DNS or firewall problem?

7. IP Masquerade works, but how do you route an unMasquerade IP?

8. Include paths

9. virtual IP - masquerading - "real" IP - routing

10. Packet routing by source IP

11. How to create a packet with Source Route set in the IP header

12. "SOURCE-ROUTE" IP-packets

13. Route some packets based on port or source ip, over pptp link