Re: fwmark routing of locally generated packets

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,
Thomas Themel (themel@xxxxxxxxxx) wrote on 2003-11-01:
> # SNAT for outgoing packets
> iptables -A POSTROUTING -t nat -o $PPP_IFACE --match mark --mark 0x03 -j SNAT --to-source $PPP_LOCAL

I've been able to do away with the DNAT rule now.

> # DNAT for incoming packets
> iptables -t nat -A PREROUTING -i $PPP_IFACE  -d $PPP_LOCAL -j DNAT --to-destination 192.168.1.1

I couldn't get it to work with just the SNAT rule originally (see
original post, the SACKs would be ignored), but I've finally figured out
why: I had enabled rp_filter on that machine.  

Quite obviously, enabling rp_filter in combination with policy routing
is a bad idea.

echo 0 > /proc/sys/net/ipv4/conf/$PPP_IFACE/rp_filter 

fixed it for me.

I still think I shouldn't need the netfilter SNAT rule, but even
enabling NAT with the routing rule (ip rule add fwmark 3 table aonc nat
$PPP_REMOTE) doesn't seem to set the source address of the outgoing
packets correctly.

ciao,
-- 
[*Thomas  Themel*] "If we're not supposed to eat animals, how come 
[extended contact]  they're made of meat?"
[info provided in]      - Treat Carnivores Ethically,
[*message header*]              in the fuckedcompany.com forums

Attachment: pgp00197.pgp
Description: PGP signature


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux