On Fri, Mar 02, 2007 at 07:34:34PM +0100, francesco messineo wrote: > I solved this exact problem (with incoming connections on three > different adsl) markin packets on PREROUTING chain. Obviously with > three different routing tables. > > # incoming connections for DNAT to DMZ need to be marked here in PREROUTING > iptables -t mangle -N mymark > iptables -t mangle -F mymark > # first of all RETURN for "local" interfaces > iptables -t mangle -A mymark -i $E0_IF -j RETURN > iptables -t mangle -A mymark -i $DMZ_IF -j RETURN > iptables -t mangle -A mymark -i $VPN_IF -j RETURN > # then mark and save incoming connections from the external universe > iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M > iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M > iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M > iptables -t mangle -A mymark -j CONNMARK --save-mark > > #restore mark before ROUTING decision > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark > > # non marked incoming connections need to be marked (DNAT to DMZ only) > iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark > Hi i know there was a thread on this methiod earlier, but has somebody put up a howto, or a wiki page on it ? alex
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
