On Sun, Jan 27, 2013 at 10:51 AM, Pascal Hambourg <pas...@plouf.fr.eu.org>wrote:
> Roberto Scattini a écrit : > > > > i just cant make it work. > > all my outgoing packets keep going through the default gateway (even if > > they have the correct IP address, from the other nic...). > > > > i think i need an explanation... because i cant undestand how does the > > routing tables know that a packet is in response to a connection that > came > > from this or that interface. > > The answer is simple : it doesn't. > Your routing rules are based on the source address, but as you used DNAT > rules to change the destination address of incoming packets in the > PREROUTING chain, the reverse operation changing back the source address > of outgoing reply packets takes place in the POSTROUTING chain, i.e. > after the routing decision. In order to keep track of the original > destination address, you need to use the connection tracking facilities. > > One way is the one you describe below, using the CONNMARK target to mark > connections and reply packets and use routing rules based on the packet > mark. > it is SOLVED now. i went with the CONNMARK solution and it worked. here i post the relevant rules: # mark incoming packets from internet, a different mark for each isp iptables -t mangle -A PREROUTING -i $IF2 -m state --state NEW -j CONNMARK --set-mark 2 iptables -t mangle -A PREROUTING -i $IF1 -m state --state NEW -j CONNMARK --set-mark 1 # retore marks on packets coming from my webserver iptables -t mangle -A PREROUTING -i eth2 -m connmark --mark 2 -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -i eth2 -m connmark --mark 1 -j CONNMARK --restore-mark # routing tables for each interface, based on marks ip route flush table T1 ip route add $P1_NET dev $IF1 src $IP1 table T1 ip rule add fwmark 1 table T1 prio 1024 ip route add default via $P1 table T1 ip route flush table T2 ip route add $P2_NET dev $IF2 src $IP2 table T2 ip rule add fwmark 2 table T2 prio 1025 ip route add default via $P2 table T2 with this, both public IPs are working fine. thank you all! -- Roberto Scattini