Hello, On Thu, 17 Feb 2005, Nguyen Dinh Nam wrote: > Not enough, my tutorial only discuss about CONNMARK outgoing NEW packets > in POSTROUTING, if you want to DNAT connections from internet to some > computers in your LAN, you must also CONNMARK incoming NEW packets in > PREROUTING too. I want to keep the tutorial short and simple so I don't > write about it, you can consult CONNMARK in PREROUTING in RoutesKeeper's > source code. > Lacking CONNMARK in PREROUTING, some of your SYN/ACK packets may be > DROPed by ISPs. That problem should be solved with the "routes" patch, may be you know for some issue with this? First packet comes, DNAT selects manipulations for both directions, packet is routed to internal host, reply comes, we route by lsrc (maddr), one of the valid links for maddr is selected, it can be different if routing allows input and output routes to use diffrent interfaces (you don't know always the incoming gateway that remote hosts are using to reach maddr). What "routes" gives you is correct routing usage for NAT which is expected from all NAT users in multipath setups. > From kernel 2.6.10, CONNMARK is included already, you don't have to > patch anything. I'm happy with that, i just don't see the problems you see with "routes". Regards -- Julian Anastasov <ja@xxxxxx> _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
