Hello, On Wed, 27 Nov 2002, Nickola Kolev wrote: > So, given I'm running kernel 2.4.19 and using ipchains (don't > ask me why, but I'm bounded to this config), I would like to > reroute everything that's passing thru eth1 on machine A > from the internal lan and has dport XXXX to the same port > on machine B. The hole thing has to be completely transparent. > I tried some "advanced routing" stuff, like marking those packets > with fwmark and building a separate routing table for them, > but alas. Notice that the two machines are on the same LAN segment. Yes, marking the packets for routing purposes is a solution, sort of: # Mark XXX traffic ipchains -A input -p TCP -s CLIENT_NET/24 -d 0.0.0.0/0 PORT_XXX -m 1 -j ACCEPT # Check first for routes to directly attached networks ip rule add prio 50 table main # Port XXX to universe is rerouted to host B ip rule add prio 100 fwmark 1 table 100 ip route add default via HOST_B dev eth1 table 100 May be the problem is that host B can not accept this traffic? You need some measures: 1. In host A stop ICMP redirects generated for routes on shared meduims: echo 0 > /proc/sys/net/ipv4/conf/*/send_redirects Without such settings, host A will redirect clients directly to host B, for any traffic 2. Add Transparent Proxy support in box B to accept locally the client's traffic. You can look how the Squid tproxy works: each packet is delivered to the configured local IP:PORT but this service can obtain the original DADDR:DPORT of the packet. > Nickola Regards -- Julian Anastasov <ja@ssi.bg> _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
