I realize I sort of side stepped your original question and thought it deserved an answer, since it's a legitimate problem after all. You were on the right track, you had the right idea. The functionality is actually fairly new to iptables I believe. I can't even find it in my man pages, I have to google to get an up-to-date enough man page that has it. You have to change the DMZ rule to this: iptables -t mangle -A PREROUTING -i eth0 -d 2.2.2.2 -m conntrack --ctorigsrc ! 192.168.0.0/24 -j MARK --set-mark 1 The addition of this conntrack match will prevent the matching of any packets that are return packets for connections originating from the internal network. When I negated the ctorigsrc argument on my router at home I was given an error "no argument following !". This is some sort of bug, perhaps fixed in a later version of the kernel. A simple work around is these two lines: iptables -t mangle -A PREROUTING -i eth0 -d 2.2.2.2 -j MARK --set-mark 1 iptables -t mangle -A PREROUTING -i eth0 -d 2.2.2.2 -m conntrack --ctorigsrc 192.168.0.0/24 -j MARK --set-mark 0 The conntrack match is a god send for me. I've got 6 connections to the internet, and load balancing and NAT setup for the private network. The problem with load balancing and NAT, is that you can't initiate a connection on one interface, and then switch over to a second interface later on since the IPs will have to change. The conntrack match allows you to determine which interface the data went out on to start the connection, and to continue using that interface for the rest of the connection. Without it, load balancing and NAT is very complicated. Now I really hope that covers everything, Matt ----- Original Message ----- From: "Taylor, Grant" <gtaylor@xxxxxxxxxxxxxxxxx> Date: Wednesday, June 22, 2005 5:33 pm Subject: Re: Q: Routing the Same IP simultaneously on different computers ? > Matt this is a very interesting idea, along the lines of a > solution that I did not want to try to get strait in my head. The > question that I run in to is how does the system handle returning > (outbound) internet traffic from systems not in the DMZ? The way > that I read and understand your idea I can't tell how the > returning traffic will not be sent to the DMZ. Other than that I > think this idea is a very good one. > > The idea that comes to my mind, but sadly will not work as I know > it, is to use EBTables to bridge the internet and LAN interface > and use the EBTables brouting table BROUTING chain to decide if > the traffic should be bridged or not based on a connection > tracking state, i.e. if the traffic is not related to any outbound > LAN traffic then bridge the traffic over to the DMZ server, if it > is related DROP the traffic in the BROUTING table which causes it > to be routed. You would obviously need to have at least an > aliased interface on the LAN interface to do the routing with. > But I don't know of any match extension for EBTables that will > test based on whether or not the NetFilter Connection Tracking > code has seen the traffic or not. However I think this would be a > useful match extension, and guessing I don't think it would be > hard to write though I am not qualified to do so or really speculate. > > > > Grant. . . . > _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc