On Fri, 27 Sep 2002, David H. Lynch Jr. wrote: [snip, trying to do multipath routing through a NAT box] > Trying to grok the interrelations between IPTABLES and routing has given > me a headache. I guess I am not as sharp as I used to be. I am also > having a hard time getting a complete handle on what "stateful" really > means. But I am gathering that this is a routing problem caused as a > side effect of DNATing a connection. If IPTABLES is "stateful" does that > mean that if I MARK a packet that the return packet is also marked ? No. It means that the firewall maintains internal state as to what packets it has seen. This allows it to determine that packets from a TCP connection are allowed, due to the fact that it has indeed been setup from this side. The problem you're seeing is that you let the packets travel out of your firewall again to the server behind it. As soon as the packets are on the wire, there is *no* way to do any tracking of the any more, as you can with fwmarks as long as they stay on the host. The problem is that you lose the information on what interface the packet has originally come in, due to DNAT. > Alternatively, if I set the servers behind the firewall up with > two IP's and DNATed to a different one depending on the incoming > interface shouldn't I be able to chose an outgoing routing table based > on the source IP of the return packet ? That is exactly the right solution to this problem, if you don't intend to do it at the application level. :) > Finally what is a flapping route ? This problem would make allot more > sense to me if it were consistent. Owh, the internet provider of the clients that you see `disappearing' from the server at times re-routes the traffic from time to time. It probably has redundant links to the internet, and using some of these links the problem does occur whereas using others it doesn't. However, due to reconfigurations, hardware failure, all kinds of reasons really, the routes may not be very stable and `flap' between the different links. That is what I meant. > Thank you. Just having a second opinion that I am on the right > track helps allot. Well, you are. :) Doei, Arthur. -- /\ / | arthurvl@sci.kun.nl | Work like you don't need the money /__\ / | A friend is someone with whom | Love like you have never been hurt / \/__ | you can dare to be yourself | Dance like there's nobody watching _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
