Re: owner based routing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 11 Oct 2005, Ignatich wrote:

Since ipt_owner does not work in PREROUTING chain and fwmark is
pointless, I thought that ipt_ROUTE from p-o-m can help me.

Using ipt_owner in PREROUTING is pointless as PREROUTING never sees any packets sent by a local application.

PREROUTING sees packets coming in from the network before any decision on what to do with the packet has been made.

ipt_owner can be used in OUTPUT/INPUT only (at least I think it can be used in INPUT, maybe not..).

CONNMARK may be what you are looking for. Allows you to mark the connection in OUTPUT and then reuse this mark in PREROUTING when packets comes back on the same connection.

Here's what I did:

iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
ROUTE --gw x.x.x.x --oif eth1

But it did not work. I belive this happened because matched packets
still had z.z.z.z as their source address.

You need to SNAT/MASQUERADE them.

So i tried that:

iptables -t mangle -A OUTPUT -o eth0 -m owner --gid-owner adsl -j
ROUTE --gw x.x.x.x --oif eth1 --continue
iptables -t nat -A POSTROUTING -o eth1 -m owner --gid-owner adsl -j
SNAT --to-source y.y.y.y

Any specific reason why you have the owner match in POSTROUTING? Shouldn't all traffic going out on eth1 be NAT:ed?

Note: You generally also need to use policy routing to keep this traffic on eth1.

Regards
Henrik


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux