Frantisek Rysanek wrote: > I know that Netfilter can do seamless stateful filtering of traffic > returning back through NAT. If I set up two uplinks with a NAT > "horizon split" on each of them, it shouldn't be a problem to route > traffic to either interface by merely modifying the default route > (for manual fail-over), or even by using multiple default routes with > IPR2 per-flow balancing mechanisms - and I won't create a routing > loop, as my public outbound source address will always belong to the > respective ISP, courtesy of the twin NAT outside's. > > Now what about *inbound* traffic? Suppose I've got a web server in > the DMZ. I'm wondering about possible fail-over setups with the two > ISP uplinks. I could set up two SNAT rules in the Netfilter's > PREROUTING table, one rule for each outside interface, both of them > pointing to the internal IP address of my web server. This would work > for the inbound packets, but how would the FW box deal with the > returning outbound traffic? I know that the Netfilter NAT can observe > the stateful information for filtering, but will IPR2 be able to > observe that information for *routing*? Not likely, I'd say. Never > heard of stateful *routing*. The necessary kernel guts could actually > be quite similar to the existing IPR2 per-flow balancing stuff, but I > doubt that this (dual-path stateful routing on NAT return traffic) > would work somehow seamlessly, out of the box, in the current > incarnation of IPR2+Netfilter... Obviously I can do without it, but > it would be a nice final touch :-) > > Any ideas are welcome :-) You probably want CONNMARK combined with routing by fwmark. That allows you to deal with NAT properly. - To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
