On 2013-10-04, Grant Edwards <[email protected]> wrote:
> On 2013-10-04, Grant Edwards <[email protected]> wrote:
>> On 2013-10-04, Kerin Millar <[email protected]> wrote:
>>> On 04/10/2013 21:55, Grant Edwards wrote:
>>
>>>> I then add an iptables rule like this:
>>>>
>>>> iptables -A OUTPUT -t mangle -p tcp --dport 80 -j MARK --set-mark 1
>>
>> I'm about to try adding a second iptables rule to us the nat table to
>> rewrite the source IP address. Something like this:
>>
>> iptables -A POSTROUTING -t nat -o net2 -m mark --mark 1 -j SNAT --to
>> 172.16.1.2
>
> I also tried
>
> iptables -A POSTROUTING -t nat -o net2 -p tcp --dport 80 -j SNAT --to
> 172.16.1.2
>
> [I don't think the second rule is quite right, though, since it will
> also match packets that _don't_ need to have the source IP
> re-written.]
>
> Both produced the same results: outbound packets look correct (they
> have a source address that's valid for the net2 interface). But,
> inbound packets don't seem to reach the TCP stack:
If I disable reverse-path filtering then it works. [I'm using the
first SNAT rule that matches based on the mark], but I don't really
like disabling all the reverse path filtering.
Is there a cleaner way to accomplish this that doesn't fall afoul of
rp_filter?
--
Grant Edwards grant.b.edwards Yow! I have accepted
at Provolone into my life!
gmail.com
