Rob, There's a problem with your solution! fwmark; transient - - - - - - - - - - - The structure of the packet as it passes through the firewall/router contains the fwmark. As soon as the packet leaves the box, it no longer has the fwmark. Your solution handles the packets inbound from the outside world, but neglects to handle the outbound packets from the internal network. SNAT; sets the correct source IP (for outbound connections) - - - - - - - - - - - - - - - - Even if using SNATs as you suggest, there is still has no way to tell if a packet belongs to a session inbound over eth1 or eth2. This is the statelessness of IP routing! scenarios - - - - - - - - - - - For example, maybe Paco has an RFC1918 addressed server which s/he wants to make available on two different public IPs. This requires one solution. (inbound problem; SNAT can't help; DNAT maybe) Perhaps Paco wants to send some traffic out one link, and some out the other link--yet another solution. (generic policy routing) Finally, a link load sharing split access solution is different yet. (multipath route) In order to make any recommendation, we would need to know what the IP address ranges are and specifically why/how Paco envisions using these two links. -Martin : i missed the nat rule though: : : $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o $ETH1 -j SNAT \ : --to-source $ETH1_GATEWAY_IP : $IPTABLES -t nat -A POSTROUTING -s 192.168.0.0/24 -o $ETH2 -j SNAT \ : --to-source $ETH2_GATEWAY_IP : : try out following: : it's just an idea and i didn't try it out : : # delete tables 2 and 3 to avoid duplicates : # add for each table the gateway to use : $IP route del table 2 : $IP route add table 2 via $ETH1_GATEWAY_IP dev eth1 : $IP route del table 3 : $IP route add table 3 via $ETH2_GATEWAY_IP dev eth2 : : # mark each packet regarding to its incomming device : $IPTABLES -t mangle -A INPUT -i eth1 -j MARK --set-mark 2 : $IPTABLES -t mangle -A INPUT -i eth2 -j MARK --set-mark 3 : : # delete to avoid duplicates : # lookup the right table regarding to packets fwmark setting : # flush the routing cache : $IP rule del fwmark 2 table 2 : $IP rule del fwmark 3 table 3 : $IP rule add fwmark 2 table 2 : $IP rule add fwmark 3 table 3 : $IP route flush cache : : : -- : rob : _______________________________________________ : LARTC mailing list / LARTC@mailman.ds9a.nl : http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/ : -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
