On Sun, Sep 9, 2012 at 10:28 AM, Erez D <erez0...@gmail.com> wrote: > > > On Thu, Sep 6, 2012 at 10:18 PM, shimi <linux...@shimi.net> wrote: > >> >> >> On Wed, Sep 5, 2012 at 8:28 AM, Erez D <erez0...@gmail.com> wrote: >> >>> >>> >>> On Mon, Aug 20, 2012 at 10:52 AM, shimi <linux...@shimi.net> wrote: >>> >>>> >>>> On Aug 20, 2012 9:34 AM, "Erez D" <erez0...@gmail.com> wrote: >>>> > >>>> > hello >>>> > >>>> > >>>> > i have a server with two eth ports, each connects to a different >>>> router, and then to the internet. >>>> > i want all normal trafic to the internet to go via router 1 (eth0), >>>> so i added a default route to it >>>> > i want connections TCP coming from all over the internet to the >>>> second router(eth1), to be accepted. >>>> > >>>> > the problem is that altough connections are coming from eth1, due to >>>> the default route, they are answered from eth0, which means a tcp >>>> connection can not be established. >>>> > i know that linux has a conntrack module, can i use it to tell the >>>> kernel to answer on the same eth it got SYN from ? >>>> >>>> Are the two ports on the same netblock? >>>> >>> what do you mean by that ? >>> >> >> I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is >> 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're >> both on the same network block. >> > of course they are not on the same network. > not so smart to have two interfaces with same network - unless you do > static routing, you depend on the order of the interfaces coming up ... > >> If so, can they be separated to two non overlapping blocks? >>>> >>> didn't get that >>> >> >> So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other >> would be 10.1.3.3 with netmask 255.255.255.0 >> >>> >>> >>> i have many clients from many differnet ips connecting to my server. the >>> server has two eth interfaces, with many ports open. >>> there is no relation between eth and port, the same port can receive >>> connections from either interface. >>> i just want to route the relayed packets of the same connection to the >>> eth the syn packet came from. >>> >> >> >> So, the solution I gave you in the original mail is supposed to work. >> >> I only forgot one word in the command I gave over mobile, so now I'll >> give the full solution when it's easier to type. >> >> Variables (assumptions) : >> >> IP address currently going through DGW that shouldn't be: 1.2.3.4 >> Alternative gateway for 1.2.3.4: 1.2.3.254 >> > 1.2.3.4 and 1.2.3.254 are on the same network. > for youe example above, it would be 10.1.2.254 and 10.1.3.254 > >> First, create an alternative routing table for traffic coming from the IP >> that is not supposed to go to the default GW: >> >> # ip route add 0.0.0.0/0 via 1.2.3.254 table 200 >> >> Then, ask Linux to use that routing table whenever the source of the >> traffic is from 1.2.3.4: >> >> # ip rule add from 1.2.3.4 table 200 >> >> although the packet will come from router 1.2.3.4 , the source ip on the > packet are not 1.2.3.4, so this rule is uselsss (i also checked it and it > didn't work) > i tried also: ip rule add dev eth1 table 200 - didn't work either > the syntax does not allow me to write 'ip rule add from dev eth1...' - > i.e. can't add 'from' > so i guess i need to tag the packes some way with a iptables rule, and > then add an 'ip rule' > or maybe somone knows of a better way. > > tried also: iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 200 ; ip rule add fwmark 200 table 200 didn't work as well ...
> thanks shimi. > erez. > > > 200 is an arbitrary number. You could use an alias for it to look nicer; >> If you want that, you can alias a name to a number by editing >> /etc/iproute2/rt_tables. There are examples there you can copy from. If you >> have an alias for the number, you can use it in both the ip route and ip >> rule commands, instead of the number. >> >> That's it, I believe. >> >> If it still doesn't work, you may be looking at the route cache. You can >> wait some time, or issue an: >> >> # ip route flush cache >> >> If it still doesn't work (or commands fail...), be sure to have iproute2 >> utilities and support in the kernel. >> >> Good luck, >> >> -- Shimi >> > >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
