Hello, On Mon, 19 Aug 2002, Arindam Haldar wrote: > & applied julian's patch to kernel 2.4.19 & have gone thru the docs at > the site... i have defined basically 3 groups for clients--> cache, > cisco, balance.. the name specifies the importance.. this is the details > of what i did--> Carefully analyze the docs... > [root@Lr1 root]# ip rule ls > 0: from all lookup local # direct communications are first priority ip rule add prio 5 table main > 10: from EXTnA.124/25 lookup ONE > 20: from EXTnB.106/26 lookup TWO > 100: from 192.168.1.10 lookup CACHE > 101: from 192.168.1.20 lookup CISCO > 150: from 192.168.1.30 lookup BALANCE > 200: from all lookup ME > 32766: from all lookup main > 32767: from all lookup 253 > BUT am **NOT** able to surf at all from internal network... not even > able to ping eth2 !!!.. default INPUT & OUTPUT are set to ACCEPT while > FORWARD is DROP.. First try with all ACCEPT. > whats missing there ?.. after trying all day i want guidance now... > awaiting a reply very anxiously.... Your setup is a bit strange: internal hosts use some gateways, the external addresses use different gateways. The problem is that if you are using NAT and for example 192.168.1.10 is SNAT-ed the packet will leave with new saddr (the masquerade address). Looking in your rules there is different gateway for the masquerade address. This can't work. The current framework requires that: - if one internal IP is masqueraded to a specific address, you need the 2 routes to be similar, i.e.: from INT_IP to TARGET and from MASQ_IP to TARGET to use same gateway and device. This is even mandatory for the patches. Currently, the first packet for one connection is routed via the route "from INT_IP to TARGET", the SNAT rules assign masquerade address at postrouting and then all next packets are routed via the 2nd route - 1 route per forwarded packet. It is a bit strange these two routes to use different gateways. Do you have a good reason for this? Also note that rules in the form "from 0/0 to ANY_TARGET" where ANY_TARGET can be any subnet including 0/0 are used for source address autoselection - the resulting preferred source IP is used as saddr. It is not used only as "default" rule. So, playing tricks with different gateways is not possible. The setup is ambiguous if NAT is involved. > A.H Regards -- Julian Anastasov <ja@ssi.bg> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
