Still seeking feedback... but seems that also for forward traffic policy routing does not work as expected... With some simple rules like: /sbin/iptables -I lan-inet -i eth0 -o vlan249 -s 10.5.0.0/21 -d 173.194.79.109 -p tcp -m multiport --dports 25,465,587,993,995 -j ACCEPT /sbin/iptables -I lan-inet -i eth0 -o vlan249 -s 10.5.0.0/21 -d 173.194.79.109 -p icmp -j icmp-restricted /sbin/iptables -t nat -I POSTROUTING -o vlan249 -s 10.5.0.0/21 -d 173.194.79.109 -p tcp -m multiport --dports 25,465,587,993,995 -j SNAT --to 37.186.212.162 /sbin/iptables -t nat -I POSTROUTING -o vlan249 -s 10.5.0.0/21 -d 173.194.79.109 -p icmp -j SNAT --to 37.186.212.162 /sbin/iptables -t mangle -I PREROUTING -i eth0 -s 10.5.0.0/21 -d 173.194.79.109 -p tcp -m multiport --dports 25,465,587,993,995 -m mark --mark 0/0x00f0 -j MARK --set-mark 64/0x00f0 /sbin/iptables -t mangle -I PREROUTING -i eth0 -s 10.5.0.0/21 -d 173.194.79.109 -p icmp -m mark --mark 0/0x00f0 -j MARK --set-mark 64/0x00f0 i verify that the last (mangle) rules get counted, so apply, but with a routing rule table as: root@tank:~# ip rule 0: from all lookup local 32758: from all fwmark 0x40/0xf0 lookup FWFibra 32759: from 37.186.212.162 lookup FWFibra 32760: from all fwmark 0x30/0xf0 lookup FWFTTC 32761: from 10.5.248.254 lookup FWFTTC 32762: from all fwmark 0x20/0xf0 lookup EOLO 32763: from 88.147.114.200 lookup EOLO 32764: from all fwmark 0x10/0xf0 lookup TI7 32765: from 88.37.116.142 lookup TI7 32766: from all lookup main 32767: from all lookup default traffic still flow via all other interface, as if mark is ignored. WHY?! Thanks. ----- Forwarded message from Marco Gaiarin <gaio@xxxxxxxxx> ----- Date: Fri, 29 Jan 2021 13:22:25 +0100 From: Marco Gaiarin <gaio@xxxxxxxxx> To: lartc@xxxxxxxxxxxxxxx Subject: Policy routing and local traffic... I use policy routing in forward by some years, balancing traffic in some lines, and using policy to lock some traffic to a specific line also. But now i need policy routing for local generated traffic. I've in ip rule table: 2760: from all fwmark 0x50/0xf0 lookup FWFIBRA and in mangle table, OUTPUT chain: 16 2281 MARK tcp -- * * 0.0.0.0/0 64.233.184.26 multiport dports 25 MARK xset 0x50/0xf0 chain matched correctly, but still seems does not work, eg local traffic get routed randomly on different lines, not on that specific one. What i'm missing? Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) ----- End forwarded message ----- -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
