Hi Julian,
niedziela, 2 marca 2003, you wrote:
OK, I overlooked it
>> > > 30: from all to 1.1.1.29 lookup 1
>> > > 30: from all to 2.2.2.65 lookup 2
>>
>> OK, but I process main table after all manual typed rules... but never
>> mind its not issue ;)
JA> It is not good to put table main after other rules, it can
JA> be used only to override route in table main. For example, why
JA> traffic from 1.1.1.29 to some internal IP should go to the ISP
JA> gateway (table 1)?
In fact I have additional rules for directing traffic ie. directing
LAN destined traffic to main table with HI prio.:
9: from all to 192.168.0.0/17 lookup main
..but I didnt want to blur my problem with unrelated rules so I missed
it.
Though You could be right and maybe my setup isn't optimal so I try to
revise my config.
>> Hmmm... I cant understand what has netfilter to do with "iif" parameter ?
>> What I want to achieve is to catch all incoming traffic on eth1..
JA> There are some places that can use output rerouting where
JA> the iif parameter is ignored. And second, the normal kernel relies
JA> on the routing cache to keep persistence for each NAT connection to
JA> its selected nexthop. There is no guarantee that it will work for the
JA> whole connection life.
When I used it looked that it works the same fashion when I missed
"iif" parameter.
But there is other matter what You wrote below...
JA> It does not work all the time.
>> > http://www.ssi.bg/~ja/#routes
>> >
>> > dgd-usage.txt contains example for rules and routes you can use.
>>
>> Hmm... Maybe I am wrong but It's related to NAT multiple gateways on
>> single interface not on different what I have...
JA> Not exactly true, it is related to making sure each NAT
JA> conn is bound to its allowed path(s), no matter how many interfaces
JA> are used. Selecting different nexthop should be allowed only if
JA> it is alternative allowed from the routing rules.
>> There shouldn't be problem what I read in this article.
JA> Then why you see traffic to the wrong gateway?
Hey ! You are absolutely right ! I reviewed all Your docs from Your
website also applied suitable patch and it works what expected now,
without spoofed ruting. Great!
It's extremally usefull documentation [dgt-usage.txt, nano.txt], it really explain routing flow.
I didnt find such a important info even in core adv. routing and iproute
documentation...
It would be fine to visualize it like ie. "iptables flow" because it's
not very obvious knowledge and a bit hard to understand.
BTW. I also used patch for 2.4.x kernel to enable "equalize"
parameter [witch parameter doesnt work at all] but this patch and "routes" patch
from Your websitee do not apply together.. only one of them
works.
Again Thank You very much :)
tw
--
mailto:lartc@xxxxxxxxxxx
-----------
ck.eter.tym.pl
