On 03/01/2006 07:33 AM, Tommy W wrote: > Hi > I'm having some trouble with getting my portforwarding to work. > Basically what I do is check for destination ip and port, if they match my > server's, then to DNAT to the correct box. > This works perfectly, unless the request is done on the "wrong" interface. > Meaning if a request comes in on my secondary interface. > I take it that ALL SENT to the GATEWAY will be redirected to the correct BOX > BEHIND.. but it's when the BOX BEHIND starts talking back, it goes out on the > standard interface instead of the secondary. > I use --set-mark 0x2 in the mangle table for getting traffic out on the > secondary interface. The solution here is to remember that a connection was initiated on the secondary, and set the mark on replies so that they go out the secondary. I've had success doing this with something like this: iptables -t mangle -A PREROUTING -i $BOSTREAMIF -m conntrack --ctstate NEW -j CONNMARK --set-mark 0x2 iptables -t mangle -A PREROUTING -i $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
