On Tuesday 30 March 2004 10:06 pm, Cody Harris wrote: > On Tue, 30 Mar 2004 21:50:40 +0100, Antony Stone wrote: > > > > Okay. You want a VPN (I use http://www.freeswan.org), a simple IP > > tunnel > > (http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel.ip-ip.html), or > > else some clever DNAT rules one end, and SNAT rules the other. > > So i *can't* simple mark a packet with a flag that the other one can see? No. The MARK is not a part of the actual packet or header - it's just something that netfilter associates with the packet whilst it's processing it. Once the packet leaves the box, it's just a plain packet again, and the MARK is gone. > What if i change the ttl to something like 1000 and match it with a rule on > the other end (too weed out any other instances of this). Well, the TTL field is only 8 bits, so the maximum value is 255 :) But anyway, you're trying to make custard by boiling a chicken. It's just the wrong way to approach the problem. Netfilter is a Firewall, and it can also do a bit of NATting. It's bad enough when people try to make it do (local) routing, let alone attempt to convert it into a VPN. There are other ways to do what you want, and the IP tunnel solution is not at all complicated (however it is not at all secure, either - packets are transferred across the Internet between the two networks with no encryption or other attempt to hide the contents). Regards, Antony. -- Success is a lousy teacher. It seduces smart people into thinking they can't lose. - William H Gates III Please reply to the list; please don't CC me.
