[ Diego; I figured others would be interested in this answer, so I am copying the list. ] : > See the thread which starts here: : > : > http://mailman.ds9a.nl/pipermail/lartc/2003q2/007952.html : > : > And the magic happens here: : > : > http://mailman.ds9a.nl/pipermail/lartc/2003q2/008090.html : : thanks a lot! maybe i can now see some light on this problem :) : : i was thinking in mark'ing the output packet on the host server (with : the same mark i'm using on the router box to route through the : non-default gw) if i understood correctly, this is what has been done : on the example below ... Not quite (if I understand your explanation). First and foremost, the fwmark is packet meta-data which does not survive once the packet leaves a router. The cleverness of the solution is to take advantage of the connection tracking mechanism (which keeps state), to set an fwmark on a packet as soon as the packet enters the machine. Now your stateless IP routing mechanism (FIB || RPDB + routing tables) makes a decision based on the packet and the meta-data (fwmark). : iptables -t mangle -I PREROUTING -m conntrack --ctstate DNAT \ : --ctorigdst eee.fff.ggg.11 -j MARK --set-mark 2 : : ip rule add fwmark 2 table T2 : : but yet i don't understand why rp_filter should be turned off... rp_filter (reverse path filtering) described: http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN616 rp_filter is a sysctl which tells your linux box to take some anti-spoofing measures. Naturally, this anti-spoofing technique works to your disadvantage if you wish to be able to reach a particular network (in this case 0/0) through multiple interfaces. So, if you don't want the kernel happily throwing away packets arriving on unexpected interfaces, simply put a lightweight zero in rp_filter. -Martin -- Martin A. Brown --- SecurePipe, Inc. --- mabrown@xxxxxxxxxxxxxx