>
> iptables -t nat -I PREROUTING -i $internal -s $intserver \
> --match conntrack --ctorigdst $ip_t1 -j MARK --set-mark 1
> iptables -t nat -I PREROUTING -i $internal -s $intserver \
> --match conntrack --ctorigdst $ip_t2 -j MARK --set-mark 2
>
> ip rule add from $intserver fwmark 1 table T1
> ip rule add from $intserver fwmark 2 table T2
>
> I am hoping that somebody else on the LARTC list has tried this and lived
> through the pitfalls of using conntrack in this fashion--perhaps somebody
> can even point out if I'm leading you down the wrong path.
>
Firstly, those iptables command won't even work. I suspect you mean
iptables -t mangle ( and not -t nat !!!).
Secondly, using this method, if it works, I have to do it for every internal
server which I have. If I have 10 servers, I will have to execute many of
those commands.
I saw some earlier post (by Daniel Chemko) which says he has done this
using CONNMARK, basically what he did it by doing this :-
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -i
${OUTSIDE_DEVICE} -j MARK
--set-mark 1
iptables -t mangle -A PREROUTING -m state --state NEW -i
\${OUTSIDE_DEVICE2} -j MARK
--set-mark 2
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark
I haven't got a chance to try all these. But if this is working, it is much
cleaner
than this approach using fwmark.
_______________________________________________
LARTC mailing list / LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
