Re: can't port forward on multihome

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

sean darcy a écrit :

sean darcy wrote:

Pascal Hambourg wrote:
As you used DNAT, you may use the --ctorigdst option of the 'conntrack' match and mark reply packets based on the original destination address of the connection. 

iptables -t mangle -A PREROUTING -i eth1 \
  -m connmark --ctorigdst $ETH0_IP_ADDR -j MARK --set-mark 0x1
ip rule add fwmark 0x1 table 128 prio 127

[...]

As you can see ctorigdst didn't work with iptables in fedora 9:

iptables v1.4.1.1: Unknown arg `--ctorigdst`


My mistake, I meant "-m conntrack", not "-m connmark".
Also, I see you set the new ip rule with priority 127. Am I right that higher priority numbers override lower priority number in case of a conflict? Or does it determine the order in which rules are applied, smaller numbers first?
Rules with a lower priority number are examined first. I set a different priority because I thought there could be only one rule per priority, but I was wrong. However I don't know in which order rules with the same priority are examined, so setting different priorities may be safer if the rule ordering matters. 


## this should make all packets from the * server go out over broadview
iptables -t mangle -A PREROUTING -i eth1 \
   -s 10.10.10.180 -j MARK --set-mark 0x1
ip rule add fwmark 0x1 table 128 prio 127
adding this work fine I can ssh and make voip connections to the voip server. 

But if add this, I can no longer make a voip connection to the voip server.

## this is supposed to make all packets replying to eth0
## go out eth0
iptables -t mangle -A PREROUTING -i eth0 -m state --state NEW \
    -j CONNMARK --set-mark 0x1
iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --restore-mark
Which VoIP protocol are you using ? If it is SIP or H.323, are the corresponding conntrack and NAT helper modules loaded ? I believe they are required so that the connection tracking can set the connection mark to the related voice traffic. 
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux