I do not have much time, but I'll give you my first thought about your problem. Le lun 15/09/2003 à 12:28, Matthieu Turpault a écrit : > The problem is that I can't connect from the internal network to > a ftp server of the net. In fact, I can connect to a ftp server > of the net but the "ls" command failed the most of the time (1/3). > I use passive mode. I think command connection and data connection are not routed through the same ISP and thus are received by FTP server from 2 different IPs, which means data connection SYN is droped. This suppose you are load balancing using some round robbin like stuff, such as nth match (I really do not have time to examine your script now), and that 1/3 times data connection is set up with correct IP as source. > If I add the route by the command > ip route add <@ftpServer> via <@GATEWAY_ISP2> > it is OK This tends to confirm the above. You should investigate this routing stuff. Btw, you should use CONNMARK target instead of MARK target to have your packets marked. cbr@elendil:~$ iptables -j CONNMARK --help iptables v1.2.8 [...] CONNMARK target v1.2.8 options: --set-mark value Set conntrack mark value --save-mark Save the packet nfmark on the connection --restore-mark Restore saved nfmark value The connmark is a mark you set for the whole connection. This means that once you've set a mark on a packet, every following packet identified by conntrack engine as belonging to the same connection (ESTABLISHED or RELATED) is marked with the same value. You also have corresponding match, connmark. With -save-mark and --restore-mark you can switch between nfmark (MARK/mark target and match) and connmark. See : http://www.netfilter.org/documentation/pomlist/pom-extra.html#CONNMARK This mean you're sure that data connection is marked the same way as corresponding command connection, and thus is routed the same way. -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
