i've no tryied it with the mark solution i've done: (firewall) $IPTABLES -t mangle -A PREROUTING -p tcp --dport smtp -d $MAILSERVER -j MARK --set-mark 1 $IPTABLES -t nat -A PREROUTING -p tcp --dport smtp -d $MAILSERVER -j DNAT --to-destination $LAN_MAILSERVER:25 (Marked the packet with 1 and Prerouted it to the internal mailserver) (mailserver) in /etc/iproute2/rt_tables an entrie with "201 newip" (i have no idea for what 201 stands and i can't find an answer to this in the linux 2.4 advanced Routing howto - can someone point me to the right palce ?) then ip rule add fwmark 1 table newip and ip route add default via firewall dev eth0 table newip but it still doesn't work, why ? mfG Wolfi Am Don, 2003-07-24 um 08.24 schrieb Wolfgang Pichler: > i am not an expert - but how can i use iproute2 routing by source ip ? > If i understand the whole thing right then the webserver doesn't get the > ip of the firewall as source ip - it gets the original ip - so - how can > iproute2 then know which packet was comming from the firewall and which > packet was comming from the old gateway. > > But another thing come to mind: Wouldn't it be possible to Mark the > packets on the firewall - and then tell iproute2 to route marked packets > to the firewall back ? > > mfG > Wolfi > > Am Mit, 2003-07-23 um 21.58 schrieb George Vieira: > > You have to use iproute2 to route by source IP and not destination (default gateway). > > > > There is an iptables patch in p-o-m which does some funky iproute stuff too but not sure the name.. have a look > > > > Thanks, > > ____________________________________________ > > George Vieira > > Systems Manager > > georgev@xxxxxxxxxxxxxxxxxxxxxx > > > > Citadel Computer Systems Pty Ltd > > http://www.citadelcomputer.com.au > > > > -----Original Message----- > > From: Wolfgang Pichler [mailto:madmin@xxxxxxxxxxxxxxxxx] > > Sent: Thursday, July 24, 2003 6:03 AM > > To: netfilter@xxxxxxxxxxxxxxxxxxx > > Subject: backroute problem > > > > > > hi all, > > > > we have got new ip addresses - the old one's still exists so that i can > > migrate them to the new ones. > > > > the old ip's are directly assigned to the web/mail server (i know that > > this isn't good - but i havn't had a fireall at this time) - now i have > > a seperate firewall which has the new ip's assigned to it. > > > > Now i'd like to change the dns entries so that the traffic goes over the > > new ip's (a 4 MBit line ;-) ) - the problem i have is: > > > > when a packet on the new ip comes then it gets prerouted by the firewall > > to the webserver - the webserver gets the packet with the original > > source address - now to webserver wants to answer to the packet - but > > becuase of the old ip's the webserver have a default route with the old > > ip and try's to route the packet over the old gateway - and not back to > > the firewall... You know - that can't work. > > > > I am now searching for a solution for this problem. Can netfilter help > > me with this problem - or do i have to use iproute (i havn't ever done > > something with iproute) help me ? > > > > Can i mark the packet's so the the webserver can send them back in the > > right direction ? > > > > mfG > > Wolfi > > > > > > > > > > > > > > > > > > > > > >
