On Tuesday 06 Jan 2004 01:49, Rio Martin wrote: > > > > > Hmm. Just replace -j MASQUERADE with -j SNAT? Will that not break > > > > > other things? > > > > > > > > -j SNAT your_ip > > > > > > Or rather -j SNAT --to-source your_ip. I get it. I'll check if that > > > works better than masquerading. > > > > Just tried it - no difference. Packets still come out with source IP > > address not matching the interface. :-( > > Try it switch manually, first you set up without iproute. Remove all the > tables you have created and flush it. Try with ISP1 first. Do SNAT --to > ip.of.ISP1 > Is it work? Okay, now switch to the ISP2. Do SNAT --to ip.of.ISP2. > It should be work, otherwise something wrong with the kernel or iptables > you had on your machine. > > Finish this step first, report back to the list. If one of the default routes is removed, everything works OK. However, if there are two default routes, packets get misdirected. ChangeLog for 2.4.21 lists a few conntrack bug fixes, which I suspect to be the cause of this. Basically, the non-deterministic default route selection/rotation seems to take precedence over maintaining the same interface for serving a particular established connection through the firewall. I'm compiling a new clean 2.4.24 with the jumbo routes patch at the moment, which will hopefully fix things. I'm hoping to try it out tonight. And BTW, the latest RH9 kernel released yesterday (2.4.20-28.9 IIRC), is still broken as far as routing is concerned. Gordan _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/