Roberto Scattini a écrit : > > i just cant make it work. > all my outgoing packets keep going through the default gateway (even if > they have the correct IP address, from the other nic...). > > i think i need an explanation... because i cant undestand how does the > routing tables know that a packet is in response to a connection that came > from this or that interface.
The answer is simple : it doesn't. Your routing rules are based on the source address, but as you used DNAT rules to change the destination address of incoming packets in the PREROUTING chain, the reverse operation changing back the source address of outgoing reply packets takes place in the POSTROUTING chain, i.e. after the routing decision. In order to keep track of the original destination address, you need to use the connection tracking facilities. One way is the one you describe below, using the CONNMARK target to mark connections and reply packets and use routing rules based on the packet mark. Another is to use the conntrack match with the --ctorigdst to check the original destination address and mark packets accordingly : iptables -t mangle -A PREROUTING -i eth2 -m ctstate --ctorigdst $IP1 \ -j MARK --set-mark 101 ip rule add fwmark 101 table T1 Another may, not requiring any packet marking, is to add a second private address to the server and DNAT incoming connections to a different private address depending on the input interface. This way reply packets from the server will have different source addresses and you will be able to use simple routing rules based on the private source address. > i also tried a different approach, found somewhere with google, that is > more in line with my understanding of the problem. > basically, it marks the packets so they can be routed back to the same nic > they came in: (flush commands trimmed for better readability) > ip route add table T1 default via YY.20.YY.3 > ip rule add fwmark 101 table T1 > ip route add table T2 default via XX.220.XX.178 > ip rule add fwmark 102 table T2 Note : You may need to add routes for the $P1_NET and $P2_NET as you did in your previous setup. Talking of this, you must specify the prefix length in the CIDR form, not just the network adress : /24, /30 or whatever it is. > # Ensure traffic in one interface goes back out the same interface > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j ACCEPT > iptables -t mangle -A PREROUTING -i eth4 -m state --state NEW -j MARK > --set-mark 101 > iptables -t mangle -A PREROUTING -i eth3 -m state --state NEW -j MARK > --set-mark 102 > > but it doesnt work... What happens exactly ? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/510530d9.3000...@plouf.fr.eu.org
