Russell, : I have a network much like that show in: : : <http://www.lartc.org/howto/lartc.rpdb.multiple-links.html> : : with a few wrinkles. This is with a ptrace patched 2.4.20 kernel. : : The wrinkles are that one interface has 14 IPs (.2 to .15) total (via : eth1 and aliasing), the other being a single DHCP-provided IP (eth0). As a side note, after reading your post, Russell, I'm a touch confused why you have so many IPs hosted on your eth1 interface. It strikes me that you really just want packets to arrive (inbound) on eth1. So, you really don't need to have all these IPs locally hosted on your box. You can simply proxy ARP for the IPs, and ethernet frames with IP packets bound for e.f.g.2-15 will arrive on your eth1. Perhaps you are doing more than that with these 14 IP addresses, but if not, why bother hosting the IPs locally? Suggestion: # for h in $( seq 2 15 ) ; do > arp -s e.f.g.$h -i eth1 -D eth1 pub > done Purely out of curiousity, I wonder if you are doing something else with these IPs? [ snipped iptables rules that look fine ] : When I connect from the outside to eee.fff.ggg.11:22, I never hear a : reply. Ethereal (on the internal interface, eth2) shows replies, but : looking on the other external interface (eth0) it appears that the : replies are all shooting out of it (the default path). Nothing ever : returns out the eth1 interface as it "should". I have the ip rules : set up as follows: [ thank you for the "ip route" and "ip rule" output, which has been snipped to save space ] : When I connect to the port forwarded address from the outside, it : looks like the returning packets are getting routed _before_ the : source IP is translated (and thus aren't matching a special rule and : thus get routed according to the default rule). Everything else seems : to be working fine. : : Has anyone seen this? Is it a bug or am I just confused? This is not a bug--this is a fact of packet flow through the kernel. See the kernel packet traveling diagram (KPTD) [1] for more details on the sequence of operations. So to answer your question: you must be confused! :) You should try adding just one more rule: # ip rule add from 192.168.0.2 table T2 For a more thorough analysis of this interaction between routing and netfilter, see my advanced routing with multiple Internet connections chapter [2] and/or this informative post from Wes Hodges [3]. -Martin [1] http://www.docum.org/stef.coene/qos/kptd/ [2] http://linux-ip.net/html/adv-multi-internet.html [3] http://lists.netfilter.org/pipermail/netfilter/2001-May/011697.html -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx
