I solved this exact problem (with incoming connections on three different adsl) markin packets on PREROUTING chain. Obviously with three different routing tables. # incoming connections for DNAT to DMZ need to be marked here in PREROUTING iptables -t mangle -N mymark iptables -t mangle -F mymark # first of all RETURN for "local" interfaces iptables -t mangle -A mymark -i $E0_IF -j RETURN iptables -t mangle -A mymark -i $DMZ_IF -j RETURN iptables -t mangle -A mymark -i $VPN_IF -j RETURN # then mark and save incoming connections from the external universe iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M iptables -t mangle -A mymark -j CONNMARK --save-mark #restore mark before ROUTING decision iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark # non marked incoming connections need to be marked (DNAT to DMZ only) iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark On 3/2/07, Alex Samad <alex@xxxxxxxxxxxx> wrote:
On Fri, Mar 02, 2007 at 07:22:13AM +0530, Manish Kathuria wrote: > On 3/2/07, Tom Lobato <tomlobato@xxxxxxxxx> wrote: > > > > > > Hi all! > > > > > > After that good thread "DGD patch not detecting dead gateway" I was > >able to set up a Load Balancing with ping based DGD (without Julian > >Anastasov patch). But now I'm facing a new problem and tried some > >options, with only partial solutions. > > > > I made a script based on > >http://www.mail-archive.com/lartc@xxxxxxxxxxxxxxx/msg16257.html (Thank > >you Manish Kathuria), without Julian A. patch, and with routes/rules as > >described in nano.txt. It works fine, but... > > > > The problem: I do DNAT for internet located people to access my LAN > >machines (VNC, RDP, etc...). It sometimes works, sometimes don't work. > >It appears that the connection from outside can enter, but when reply > >packets try to get back across nat machine, it falls into the round > >robin default route selection to define its gateway. Well, of course, > >this reply must leave the router via the same interface whose initial > >packets entered. > > > > > > vnc initial > >request packet reply that got > > \ wrong route > > \ ^ > > \ / > > V / > > isp1 isp2 isp3 > > _|____|____|__ > > | | > > | dnat | > > |_____________| > > ^ > > | > > | > > V > > LAN estation, the > > vnc server > > > > > > > > What I need is a way to force packets leave the router via the same > >interface whose its request entered this. > > I'd like to hear opinions about the problem (and also solution =). > >Remember, I can't apply the DGD patch from J.A. because it only checks > >the first hop for dead detection. > > I will apreciate any help. > > > > Thank you, > > > > > > > > Tom Lobato > > > > > >_______________________________________________ > >LARTC mailing list > >LARTC@xxxxxxxxxxxxxxx > >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > > > > I had overlooked this. I had also faced a similar problem. There are > two possible solutions, one is to apply Julian's patches because even This sounds exactly like my problem, until I appplied julian's patch, I would suggest giving it a try > though you are not using the patches for DGD, they do help in making > NAT processing with multiple gateways work properly. The other option > is to mark the packets using CONNTRACK. There was a good discussion on > this topic some days back. You can check the thread using the > following links to the archives: > > http://mailman.ds9a.nl/pipermail/lartc/2007q1/020354.html > http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html > > -- > Manish Kathuria > Tux Technologies > http://www.tuxtechnologies.co.in/ > _______________________________________________ > LARTC mailing list > LARTC@xxxxxxxxxxxxxxx > http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF6G04kZz88chpJ2MRAplNAKDrYspoCJYOEe3+3xMllBDP0vAuLQCgvBsM 3HkDStEOSQErTD2RarWObXs= =/G6Y -----END PGP SIGNATURE----- _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
