On Sat, 24 Dec 2005, Marco Berizzi wrote: > Bill Fink wrote: > > >On Fri, 23 Dec 2005, Marco Berizzi wrote: > > > > > However I have had to add another route to the test routing table > > > (beyond to your suggested): > > > > > > 172.16.1.25 via 172.16.1.1 dev eth2 > > > > > > (172.16.1.1 is the linux private internat ip address) > > > >I'm not clear why this should be necessary, but if it's working that's > >the main thing. > > >What is the 172.16.1.25 IP address? > > Ahh... 172.16.1.15 system has been shutdown for a fan failure, so I switched > to the 172.16.1.25 system for the testing purpose. OK. Sorry to hear about your system failure. > > > because linux was putting the echo reply packets with dest ip > >172.16.1.25 > > > out of eth0 instead of eth2. I think this is happening because I was > > > mangling > > > packets with dest 'ADSL NAT IP' as you correctly suggested, in the > >following > > > manner: > > > > > > iptables -I PREROUTING -d 'ADSL NAT IP' -j mark --set-mark 2 > > > >Still not clear how that would route packets for 172.16.1.25 out eth0. > > [I believe that if I would have written the above rule with the -i eth1 the > '172.16.1.25 via 172.16.1.1 dev eth2' route would not have been necessary.] You are correct. You need to add the "-i eth1" so it doesn't get marked again the second time the ICMP echo reply packet arrives (via eth0). > It is also not clear for me why linux is putting the "unSNATed" echo reply > out eth0 > but I think it is marking the echo reply packet coming in from eth0 with > mark 2, > so the packet is routed through the test routing table. Right. I was trying to figure out why I didn't run into this in my lab and I think I know why. In my test routing table, I only had a host route for the HDSL public network host via the ADSL router IP out eth0. The incoming ICMP echo reply packet on eth0 did get marked during PREROUTING to use the test routing table, but then it got unSNATed, and the resulting packet to the private host didn't match anything in my test routing table, so it fell through to the normal main routing table and was thus sent out eth2 as desired. In your case, you have a default route in your test routing table, so after being marked to use the test routing table and unSNATed, the resultant packet to the private host matches the default route in your test routing table, and is thus directed out eth0 to your ADSL router IP, which obviously isn't desired. You thus needed to add the explicit route for your private host in your test routing table to override its default route, and direct it out eth2 as desired. > >Likewise wishing you a fabulous Christmas and wonderful New Year!!! > > PS: I didn't wish happy new year because I'm sure I will get in touch soon > ;-) You're right. :-) -Bill - : send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
