Am Donnerstag, 2. März 2006 17:24 schrieb Mart Frauenlob: > Hello newsgroup, > > I hope somebody with more routing experience then me can help me with > the problem I have. > > The setup is as described below. A dual internet provider routing, > multiple local area networks, and a dmz network with one public and > one private ip range. > I followed the instructions at lartc.org, and so far everything is > working. The default route is via 'PROV_STATIC', only packets comming > from LAN 192.168.111.0/24 are routed via 'PROV_DSL'. > Now if I want to do network address translation via iptables for > certain traffic coming into the dsl interface ppp0, > packets never reach their destination. > DNAT into DMZ or any of the LANs over the eth0 interface works as > expected. So for example applying a DNAT rule like: > 'iptables -t nat -A PREROUTING -i ppp0 -d 217.92.8.242 -p tcp --dport > 80 -j DNAT --to-destination 62.155.170.254' > fails. > > Same for NAT attempts into the LANs 192.168.112.0/24 and > 192.168.113.0/24. While DNAT into LAN 192.168.111.0/24 works > perfectly. > > So I think the problem is that traffic from the DMZ and those two > LANs have the ip rules applied to end up in the the table > 'PROV_STATIC'. Which usually is what I want, but not in this case, > where I want port or protocol specific traffic to be routed > differntly. > Is there a way to 'override' the default routing behaviour for i.e. > http traffic? yes, mark the traffic with iptables and route them with a higher prio routing rule differently. for example: iptables -t mangle -I PREROUTING ... -j MARK --set-mark 0x01 #insert rule for all marked packets to look at table 100 for routing entries. ip rule add prio $PRIO fwmark 0x01 table 100 #insert your routing entries for alle marked packets into table 100 ip route add <...> table 100 ... $IP must changed according your setup. the $PRIO must be changed to take at the right place. If i understand your problem correctly the prio must be below 32759 and $IP=all. But i'm not sure if i understand it right. -- Markus Schulz modprobe windows modprobe: This module will TAINT the kernel _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
