I'm trying to add a second gateway onto a router box (RedHat 7) and learning how from scratch. It has four NICs, one is configured as the default gateway (eth0), two configured as private IP blocks, one unused. Traffic connected to the private IPs (192.168.0.xxx, 192.168.1.xxx) goes thru the tables, and is given the IP of the outgoing NIC.

here's a line from the script:

/sbin/iptables/ -t nat -A POSTROUTING -o eth0 -s 192.168.0.50 -j SNAT --to-source 2xx.xxx.xxx.xxx

I thought I could configure eth3 to a different IP on a different gateway and be able to route through my choice of ethX by doing:

/sbin/iptables/ -t nat -A POSTROUTING -o eth3 -s 192.168.0.51 -j SNAT --to-source 1xx.xxx.xxx.xxx

but it doesn't work. Reading mans it appears to me the script simply changes the packet so it appears to be coming from eth0 and eth0's IP address, it doesn't actually route it to a particular gateway. I am I right, or completely retarded?
I'd like to be able to route some internat IPs to one gateway (with it's address) and some to another (with it's IP address). Can I modify the current script to do this?

Any help would be appreciated, I don't actually have to do this, I just want to know HOW I can use 2 gateways and say Joe gets A, Sam gets B, etc.

Warning: I've been up to my eyeballs in PAM, SOAP and other projects, so I think I had to forget some of my linux networking/iptables knowledge so I can make room for the new stuff. Seek a second opinion.

You are right. Appending to the POSTROUTING chain will modify the packet (set the source address in the packet to 2xx.xxx.xxx.xxx) after the kernel has identified the route the packet should take. You have to append to the PREROUTING chain in order for the source address to be changed before the kernel makes a routing decision.

Keep in mind that changing the source address has no effect what so ever on which gateway the packet is routed out through. The kernel keeps a routing table that tells the ip stack where to route packets based on the packets destination address. Iptables will only modify the routing decision of the kernel if the destination address is changed in the PREROUTING chain.

If you want to route any packet bound for 209.188.34.0/24 out of eth1 through gateway 192.168.1.2, then you need to add the route to the kernel's routing table with the route(8) command. Once this route is added, the kernel will look at the destination address in the packet, say the destination is 209.188.34.22, it will then traverse the routing table looking for a match and if a match is found, it will pass the packet to the gateway associated with that route. If the destination IP address was 209.188.35.22, then no match would be found and the packet would be routed out the default gateway and finding the destination becomes the problem of the gateway, or the gateway's gateway and so on.

I don't think I was quite clear. What I was trying to do was modify the script that sends the internal IPs out eth0 and gives them eth0's IP address so that some could be sent out eth3 with eth3's IP address.

192.168.0.45 >eth0
192.168.0.46>eth3
192.168.0.47>eth0
192.168.0.48>eth0
192.168.0.49>eth3
192.168.0.60>eth0

PREROUTING is a good clue tho. I see some #'d out entries in prerouting where there was an eth0:1 and eth0:2 with different IPs (same range, gateway) and POSTROUTING entries #'d out that indicate some internal IPs had 2 way access through the table.
My problem is trying to route some internal IPs out eth3 that's a totally different Class C, subnet and gateway.
The original pipe is a 1.5 DSL and I want allow only some people to access the E10. The salesman doesn't need 10MB to surf porn, but the map room and print shop need 10MB to send/receive files.

Ah, ok. I think I see now.

Let's say that eth3's IP is 192.168.3.0/24, I'll also assume that 192.168.3.100-250 is unassigned and available for the natting pool.

This probably won't work in your exact scenario, but it might give you a place to start:

iptables -t nat -A PREROUTING -p tcp -s 192.168.0.46 -D SNAT --to-source 192.168.3.100-192.168.3.250

Something like that would change the sourceIP of a packet from 192.168.0.46, to any address in 192.168.3.100-250 and use the same nat-pool address for every packet in the corresponding stream. The routing table in the kernel would see the source as 192.168.3.x and send the packet out the interface that corresponds with 192.168.3.0. Iptables would track the connection and nat the return traffic back....I hope. I don't really have anywhere to test this here.

Also of note, if this does work, you can use -p tcp and/or -p any, udp etc. If you use tcp, any, or udp you can also send only particular ports out of the 10 mbit connection. So that ftp and bittorrent use the 10mbit, but http and ssh etc use the regular DSL.

Oh, yeah. The best iptables tutorial I've found is the one that is written by the author of iptables...how surprising. Anyway, here's a link.

http://www.linuxsecurity.com/resource_files/firewalls/IPTables-Tutorial/iptables-tutorial.html