I'm setting up a host that has two routes to the public internet: one via my run-of-the-mill home gateway router, the other via a gateway router on a semi-private network (AMPRNet on 44.0.0.0/8). Most of this is straightforward, but there's one tricky bit:
Mostly the 44.x.x.1 IP is used for communicating with other hosts on 44.0.0.0/8. This is easy to route outgoing packets onto the tunnel interface (tunl0) configured for the purpose.
Hosts on the public web can also reach my semi-private IP (44.x.x.1) via a gateway router at UCSD (169.228.66.251) that announces 44.0.0.0/8 on BGP. Replies to such packets from my node, though, wind up going out eth0 back to the originating host, which doesn't work because they get NATed along the way by my gateway router.
What I think I need to do is use iptables to SNAT incoming packets on tunl0 from non-44.0.0.0/8 hosts to a dummy IP in the 44.0.0.0/8 space, and DNAT them on the way back out using stateful connection tracking. This, however, doesn't seem to be working.
After running
iptables -t nat -A INPUT -s 44.0.0.0/32 -d 44.x.x.1 -j ACCEPT
iptables -t nat -A INPUT -s 0.0.0.0 -d 44.x.x.1 -j SNAT --to 44.0.0.2
when I ping 44.x.x.1 from a remote host, tcpdump on the tunl0 interface shows packets from the actual external IP, not from 44.0.0.2. And if I tcpdump eth0, I see the reply packets going back out to that external IP.
Is this configuration possible? If so, what am I missing?
How to send packets coming from a second router on a particular port back to the router, using iptables not a route seems to be related.
