> > NATing is done with MASQUERADE, not SNAT, I use another MARK for it, but > > in essence it is > > -o eth2 -j MASQUEARDE > > -o eth3 -j MASQUEARDE > > > > In addition, there are several other MARKs for policy routing. They have > > their own routing tables also. But at present, they are all empty. > > > > This is the part I definitely do not like. First of all - wht > SNAT/MASQUERADE _all_ traffic? You should do this for forwarder traffic > only. Like so: Yes, in fact, this is what I do. I mentioned I use MARK for MASQUERADing, but forgot to elaborate. That particular MARK is set for forwarded packets only. > Also you mention that there are "other marks" , which means that you > might very well be overwriting marks as you go. A packet/connection can > have only _one_ mark value at any time, no more no less (a 0x0 is still > a mark) I use --or-mark in iptables, so that I can use bitwise masks. The 'ip' tool supports bit masks too. _______________________________________________ LARTC mailing list LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
