IP Networking

I am running Linux 2.6.20 on i686 architecture.

I want to be able to masquerade different hosts on my LAN to different external interfaces. Specifically, I want one specific host to masquerade through a vpn tunnel while the other hosts simply masquerade over the regular ISP interface. I only use one host to access the VPN, and its connection is unreliable (using microsoft ras) and I was hoping to be able to set up my linux server to handle maintaining the vpn connection (using its real ip as opposed to masquerading for the windows host).

eth0 = internal = 192.168.0.1
I tried setting up eth0:0 to be 192.168.1.1 and putting the said host in the 192.168.1.0/24 network, which works. So I'd be happy if I can masq 192.168.1.0/24 over the VPN and 192.168.0.0/24 over eth1's internet IP.

I tried this:
#iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE

thinking I could maybe change the masquerade destination interface based on source IP, but traffic from 192.168.1.13 is still masquerading over the eth1 IP rather than ppp0. I'm stumped here. I really don't care to have the virtual interface; it just seemed like it would make things easier since the 192.168.0.0/24 network has several hosts that don't use the VPN all of which I want masqueraded via eth1.

As a last resort I suppose I could connect a second linux box to the VPN and have it masquerade the VPN and be the gateway for the VPN client(s), but that linux machine would itself be masqueraded by the main server, which opens it to having the same problems I am already having trying to get the masqueraded windows client to connect properly.

iptables is so amazingly powerful I'm sure what I want must be possible, but I am a bit of a novice. Any assistance will be greatly appreciated.

Thanks.

UPDATE: I was able to get the selective masquerading to "work"... sort of.

The problem is if I don't have a default route for ppp0 then the 192.168.1.0/24 network can't reach anywhere. I add the default gw for ppp0 and then 192.168.0.0/24 can't reach anywhere.

What I don't understand at all though... if I have both default routes in, the linux server uses eth1 as its default, as evidenced by my source IP when I log in to internet sites. The vpn client machine (192.168.1.13) goes out over the VPN (ppp0) interface as expected. But my other lan clients (192.168.0.2 for example) can't get out to the internet if I try to masq over eth1 (but can f I switch it to masq over ppp0). What gives here? Both routes clearly work since the linux machine gets out over the ISP connection, so why can't it masquerade the ISP connection now, only the VPN?

My problem before was that I had the iptables service (under fedora) running, which seemed to not allow me to delete the original MASQUERADE directive to forward all traffic (regardless of source) via eth1. Now with my tables loaded manually the based-on-source part seems to work, just only with one internet connection (ISP or VPN) as its destination at a time. My hair's falling out here. This makes even less sense than the last situation did.

The masquerade will only work over whichever is the last default route added, even though linux seems to be smart enough to route through eth1 by default for its own local traffic despite the existence of the second "default" route.

Well, I guess I jumped the gun in asking for help. I spent more time searching and came upon the solution. In case anyone wants it, here it is:

I added the virtual network eth0:0 as stated above. I put the clients I want to be masqueraded over the vpn onto that subnet. then I bring up the ppp0 interface for the VPN. I don't have it set up a default route at all. then I set up a separate table for the LAN to be sent to the subnet:

ip route flush table 18
ip route add table 18 to 192.168.1.0/24 dev eth0:0
ip route add table 18 to default via $PPP_REMOTE dev ppp0
ip rule add from 192.168.1.0/24 table 18 priority 18

18 is just an arbitrary number.

I discovered the solution here:
Linux Route Hacks

I just adapted the data presented there to my situation. wow. a few hours well spent.

Thanks for sharing

Well, since I got it working a couple of new wrinkles have appeared.

First, I am getting the Protocol-Reject for unsupported protocol messages after a bit, requiring me to kill pppd and bring the vpn back online to resume. I've seen plenty of posts out there about this, so I'll keep reading and hopefully find something there.

UPDATE: wow. I'm silly. i solved the REALLY confusing wrinkle. now I just have to figure out this protocol-reject death loop thing.