So, I thought I'd give iptables + iproute2 a shot with a new gateway box. ISP 1 eth1 Local IP 10.1.0.2 Router IP 10.1.0.1 ISP 2 ippp0 Local PPP IP 194.222.178.203 Remote PPP IP 158.152.1.222 Network hangs off eth0 on 10.1.1.0/24 Everything works fine, I can change the default routes between the two links, and even do policy routing based on source address with; ip ro add default via 158.152.1.222 dev ippp0 src 194.222.178.203 table 20 ip ru add from 10.1.1.5 table 20 However, I want it to route via fwmark, and it just plain refuses to do it. I'm not sure if it's not marking packets, marked packets are being routed the wrong way (tcpdump says otherwise) or if it's just borking the whole thing up by routing some other packets a different way. Empty iptables tables, except for a rule to SNAT everything going out of ippp0 onto the ippp0 IP, I do iptables -t mangle -A PREROUTING -s 10.1.1.5 -j MARK --set-mark 1 ip ru add fwmark 1 table 20 realms 1/2 (I removed the 'from 10.1.1.5' ip rule). You'd think it would do the same as the other rule, but it doesn't. Trying to telnet to port 100 on 195.82.107.251 (okay, nothing is listening, but it sends an icmp packet back and it works with source policy routing) produces the following in tcpdump; tcpdump: listening on ippp0 18:44:01.109900 > 194.222.178.203.1289 > 195.82.107.251.pop3: S 3146733637:3146733637(0) win 32120 <mss 1460,sackOK,timestamp 6743036 0,nop,wscale 0> (DF) 18:44:01.177798 < 195.82.107.251.pop3 > 10.1.1.5.1289: S 3194989746:3194989746(0) ack 3146733638 win 32120 <mss 1460,sackOK,timestamp 296891610 6743036,nop,wscale 0> (DF) 18:44:02.618943 < 195.82.107.251.pop3 > 10.1.1.5.1287: S 3186605292:3186605292(0) ack 3146469497 win 32120 <mss 1460,sackOK,timestamp 296891746 6742174,nop,wscale 0> (DF) It looks right to me, at least there isn't anything blatently obivously wrong (such as weird ass src/dest IPs). The number of packets in the realm is the same as the number of marked packets in the iptables counter, so it looks like; 1) The correct packets are being marked as they should 2) The marked packets are being caught by the right rule 3) The marked packets are being routed as per the table in the rule. Anyone got any suggestions or thoughts? The gateway is running test11-pre5, although I have tried it with test10 and had the same results. Thanks. -- David Coulson technoir@xxxxxxxxxxxxxxx
