Re: Multi ISP router/firewall ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mar 28 2007 14:21, Ray Leach wrote:
>
>The problem was that reverse path filtering had to be enabled on the
>eth4 interface. All my other interfaces have reverse path filtering
>disabled, so what's the difference with this one?

I suspect something, hence please try

>> > >iptables -A FORWARD -i eth0 -p tcp --dport 80 -s 10.0.0.3 -j ACCEPT
>> > >iptables -A FORWARD -i eth4 -p tcp --sport 80 -d 10.0.0.3 -j ACCEPT
>> > >
>> > >iptables -A FORWARD -t mangle -p tcp --dport 80 -s 10.0.0.3 -j MARK
>> > >--set-mark 0x4

iptables -t mangle -A PREROUTING/FORWARD -i eth4 -p tcp --sport 80 -d 10.0.0.3
-j MARK --set-mark 0x4

with rp_filter=1 again.

I believe the reverse route stuff does not get it, because return packets are
not marked. Or, I'd also suggest

iptables -t mangle -A FORWARD -m conntrack --ctstate NEW
-s 10.0.0.3 -p tcp --dport 80 -j CONNMARK --set-mark 4;
iptables -t mangle -A FORWARD -j CONNMARK --restore-mark;

(Or use nat's PREROUTING for the initial CONNMARK - many ways of doing things)


Jan
--
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux