On Sun, Apr 09, 2006 at 08:30:58PM +0200, richard lucassen wrote: > On Sun, 9 Apr 2006 15:56:02 +0200 > Jeroen Elebaut <jeroen@xxxxxxxxxxx> wrote: > > > i had a similar problem with our setup. The problem is i think that > > the routing decision on the linux box is made before the address in > > the packet is changed back to 1.2.3.3. So it doesn't use the source > > policy routing entry. I solved this by using the connmark module from > > iptables and then do routing based on the mark. The following should > > work in your setup: > > > > iptables -t mangle -I PREROUTING -m conntrack --ctstate > > ESTABLISHED,RELATED -j CONNMARK --restore-mark > > iptables -t mangle -I PREROUTING -i eth1 -m conntrack --ctstate NEW > > -j CONNMARK --set-mark 1 > > > > ip rule add fwmark 1 lookup eth1_up > > I already found out this: > > iptables -t mangle -A PREROUTING -i eth1 -d 192.168.201.3 \ > -j CONNMARK --set-mark 1 > > iptables -t mangle -A PREROUTING -i eth2 -s 10.0.2.1 \ > -j CONNMARK --restore-mark > > > This will route everything that entered via eth1 back via eth1. > > And indeed that was the solution. Thnx! > > R. Are the kernel patches from here http://www.ssi.bg/~ja/ the ones that fix this problem as well. > > -- > ___________________________________________________________________ > It is better to remain silent and be thought a fool, than to speak > aloud and remove all doubt. > > +------------------------------------------------------------------+ > | Richard Lucassen, Utrecht | > | Public key and email address: | > | http://www.lucassen.org/mail-pubkey.html | > +------------------------------------------------------------------+ > >
Attachment:
signature.asc
Description: Digital signature
