Hi list After diving in CONNMARK and FWMARK for several days and after reading among others: http://lists.netfilter.org/pipermail/netfilter/2007-June/069148.html http://securepoint.com/lists/html/LARTC/2007-05/msg00057.html http://mailman.ds9a.nl/pipermail/lartc/2006q2/018964.html http://www.lugmen.org.ar/pipermail/lug-list/2006-April/041078.html http://lartc.org/howto/lartc.rpdb.multiple-links.html#AEN268 I really get confused. What I would like to do: eth1 ( wan1) firewall eth0 ( local) eth2 ( wan2) simple a load balance w/debian etch 4.0 #route ##################### ip rule list | grep Pref0 2>&1 > /dev/null if [ $? != 0 ] ; then echo "200 Pref0" >> /etc/iproute2/rt_tables echo "201 Equalize" >> /etc/iproute2/rt_tables echo "202 Pref2" >> /etc/iproute2/rt_tables fi ip route flush table Pref0 ip route add table Pref0 default via 200.207.125.65 ip route flush table Equalize ip route add table Equalize default \ nexthop via 200.207.125.76 weight 1 \ nexthop via 201.6.110.1 weight 1 ip route flush table Pref2 ip route add table Pref2 default via 201.6.110.1 #Add the rules matching marks to lookup tables ip rule list | grep Pref0 2>&1 > /dev/null if [ $? != 0 ] ; then ip rule add fwmark 200 table Pref0 ip rule add fwmark 201 table Equalize ip rule add fwmark 202 table Pref2 fi ip route flush cache ################################ ------cut---------- iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to 200.207.125.76 iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to 201.6.110.223 #first line in PREROUTING will pull out the existing mark on the connection for the packet iptables -t mangle -A PREROUTING -i eth0 -j CONNMARK --restore-mark iptables -t mangle -A PREROUTING -i eth0 -p tcp -d 202.28.213.163 --dport 3666 -m mark --mark 0 -j MARK --set-mark 202 iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -m mark --mark 0 -j MARK --set-mark 202 iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 3666 -m mark --mark 0 -j MARK --set-mark 200 #Equalize HTTP Traffic with mark 201 iptables -A PREROUTING -t mangle -i eth0 -p tcp --dport 80 -m mark --mark 0 -j MARK --set-mark 201 #mark all packets send out an interface with the proper interface preference mark (if it's been equalized) iptables -t mangle -A POSTROUTING -o eth1 -m mark --mark 201 -j MARK --set-mark 200 iptables -t mangle -A POSTROUTING -o eth2 -m mark --mark 201 -j MARK --set-mark 202 iptables -t mangle -A POSTROUTING -o eth1 -j MARK --set-mark 200 iptables -t mangle -A POSTROUTING -o eth2 -j MARK --set-mark 202 #the last line in POSTROUTING is the magic statement that stores the mark associated with the connection. iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark ##################################################################### what is wrong: a) load-balance is not working b) when I access 202.28.213.163 it works, passed to eth2 BUT it apears my IP looking at tcpdump.... 202.28.213.163.3666 > 201.6.110.223.47466: P 2269:2333(64) ack 1573 win 9968 IP 202.6.110.223.47466 > 202.28.213.163.3666: . ack 2333 win 11520 IP 192.168.1.11.38132 > 202.28.213.163.3666: F 0:0(0) ack 1 win 11520 ^^^^^^^^^^^^^^^^^^^^^ ?????? I have read that CONNMARK its used to mark CONECTIONS from/TO iptables, and it's invisible for iproute. Correct?? That I have to use -j MARK --set-mark to mark packages that I would like change the router decision. But reading all the stuff above I really get confused and I'm lost Does any of you could help or indicate a place/book where I can solve this situations???? thanks in advanced -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
