Salim S I wrote:
NATing is done with MASQUERADE, not SNAT, I use another MARK for it, but
in essence it is
-o eth2 -j MASQUEARDE
-o eth3 -j MASQUEARDE
In addition, there are several other MARKs for policy routing. They have
their own routing tables also. But at present, they are all empty.
This is the part I definitely do not like. First of all - wht
SNAT/MASQUERADE _all_ traffic? You should do this for forwarder traffic
only. Like so:
iptables -t nat -A POSTROUTING -s 10.0.58.0/24 -j SOURCE_NAT
iptables -t nat -A POSTROUTING -s 192.168.58.0/24 -j SOURCE_NAT
iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SOURCE_NAT
iptables -t nat -A SOURCE_NAT -o $EXTCH -j SNAT --to $EXTCH_IP
iptables -t nat -A SOURCE_NAT -o $EXTCB -j SNAT --to $EXTCB_IP
Also you mention that there are "other marks" , which means that you
might very well be overwriting marks as you go. A packet/connection can
have only _one_ mark value at any time, no more no less (a 0x0 is still
a mark)
HTH
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
