packet mangling and routing

Michael L Torrie torriem at
Tue Oct 16 08:58:59 MDT 2007

This is for any iptables and networking gurus out there.  I have a
server that sits on both the BYU private and public network.  The one
NIC is on a 10.x.x.x/24 network, and the other is on the 128.187.x.x/24
network.  This is, of course a bit of a problem, because there can be
only one default route.  Now one would think, then, that we could
trivially add static routes, keeping 10.x traffic on the one NIC, and
then everything else on the 128.187 NIC.  But the problem is that inside
of BYU, computers who are also on the 10.x network can reach both 10.x
addresses *and* 128.187. addresses.  So in the worst case, traffic from
a fellow 10.x node will come in the 10.x NIC and return traffic will go
out the 128.x NIC, which  I don't think is going to really work,
especially if the originating computer is running a firewall, since
connection tracking just isn't going to work, and the packet won't be
recognized as being a reply.

So my question is, can I use iptables to mangle the packet to mark it
somehow, and then have iptables somehow track the connection and make
sure that the return packets flow out the right interface?  How would I
make sure the packets are destined for the right gateway address?

If this just can't be done, I'll probably set up a tiny virtual machines
(yay KVM!) and just translate certain ports (http(s), for example) from
the public address into the private address.

If I was designing the BYU network, I would have made public address
translate to private addresses, and split the DNS.  That way the world
would see servers on the 128.187. addresses, but the same servers from
within the byu network would see the 10.x addresses.  That makes routing
a lot more sane.

More information about the PLUG mailing list