Re: policy routing on locally generated packets, ip source addressselction, application routing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi charles,
    Obviously alternative = 2 for your case. To make it work there must be
"bind" call from the local daemons.
    If bind call is problem then one is (modifiled)(B)
(ModB) Here why you using POSTROUTING instead of OUTPUT for SNAT ?

for arp and icmp i'm adding a suggestion and i say solution (D) ;-)
(D) use arptable for arp and then use ROUTE target for arp/ICMP.

Best of luck
-- Sumit
----- Original Message -----
From: <lartc@manchotnetworks.net>
Sent: Saturday, August 30, 2003 5:06 PM


> hi Sumit,
>
> thanks for your note.
>
> On Sat, 2003-08-30 at 11:37, Sumit Pandya wrote:
>
> <snip>
>
>
> > have you checked with following
> > # ip rule add fwmark 2 table alternative
> i'm using iproute-2.4.7-7 and have no such syntax/keyword, unless you
> are refering to "alternative" as en entry in /etc/iproute2/rt_tables ...
>
> the following script for example, will not work as iptables does not
> respect/use the src ip address as defined in the ip route statement:
>
>
>              +------------------------------+
> lan_a --->   | eth0        alice       eth1 | ----> isp_a
>              |                              |
>              +------------------------------+
>
> here's alice's ifconfig
> eth0   191.168.0.254/24
> eth1   192.168.1.254/24
> eth1:1 192.168.1.100/24
>
> here's alice's default routing table:
> 192.168.0.0/24 dev eth0  scope link
> 192.168.1.0/24 dev eth1  scope link
> 127.0.0.0/8 dev lo  scope link
>
>
>
> iptables --append OUTPUT --table mangle --match owner \
>      --gid-owner 500 --jump MARK --set-mark 0x2
> ip rule add fwmark 0x2 table 2
> ip route add default dev eth1 src 192.168.1.100 table 2
> ip route flush cache
>
> source ip address selection is done in the output routing process which
> occurs before the OUTPUT hook in netfilter, and although a route lookup
> is performed with the mark, the src ip will not change -- iptable only
> allows for src address in POSTROUTING.
>
> i should also note that i just installed iptables-1.2.8-8.80.2 as
> compiled by redhat, and (B) works for tcp/udp/icmp but not arp. i have
> yet to discover why my build at home of 1.2.8 didn't work for icmp ...
> hmmm
>
> <snip>
>

-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux