Hi Guys
I working w/ iptables + iproute + balance and in one of our client w/
it's using VLAN every time that I start both links all vlan stop
working.
Debian Lenny w/ kernel 2.6.26-2-686-bigmem
iptables 1.4.2-6
iproute 20080725-2
just a small picture to clarify:
wan1 - eth1 wan2 - eth2
| |
firewall -------------------dmz - eth5
|
lan ( bond0) eth0 and eth4
10.0.0.2/24
|
|
switch core
|
|
VLAN 10.0.1.0/24 10.0.2.0/24 10.0.2.0/24
After reading, googling and testing I discover that any time that both
links come w/ rule below VLAN stop passing though firewall
-------cut------------
Chain PREROUTING (policy ACCEPT 458 packets, 41906 bytes)
pkts bytes target prot opt in out source
destination
231 17763 CONNMARK all -- eth1 * 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
0 0 MARK all -- eth1 * 0.0.0.0/0
0.0.0.0/0 mark match 0x0 state NEW MARK xset 0x1/0xffffffff
231 17763 CONNMARK all -- eth1 * 0.0.0.0/0
0.0.0.0/0 CONNMARK save
16 3135 CONNMARK all -- eth2 * 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
0 0 MARK all -- eth2 * 0.0.0.0/0
0.0.0.0/0 mark match 0x0 state NEW MARK xset 0x2/0xffffffff
16 3135 CONNMARK all -- eth2 * 0.0.0.0/0
0.0.0.0/0 CONNMARK save
108 8813 CONNMARK all -- bond0 * 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
3 444 CONNMARK all -- eth3 * 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
13 632 CONNMARK all -- bond0 * 0.0.0.0/0
0.0.0.0/0 mark match !0x0 CONNMARK save
0 0 CONNMARK all -- eth3 * 0.0.0.0/0
0.0.0.0/0 mark match !0x0 CONNMARK save
Chain INPUT (policy ACCEPT 336 packets, 34819 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 118 packets, 6863 bytes)
pkts bytes target prot opt in out source
destination
59 3257 TTL all -- * eth1 0.0.0.0/0
0.0.0.0/0 /* Mudando TTL do pacote para dar mais segurança */
TTL set to 255
16 936 TTL all -- * eth2 0.0.0.0/0
0.0.0.0/0 /* Mudando TTL do pacote para dar mais segurança */
TTL set to 255
Chain OUTPUT (policy ACCEPT 246 packets, 27229 bytes)
pkts bytes target prot opt in out source
destination
134 12557 TTL all -- * eth1 0.0.0.0/0
0.0.0.0/0 /* Mudando TTL do pacote para dar mais segurança */
TTL set to 255
24 1900 TTL all -- * eth2 0.0.0.0/0
0.0.0.0/0 /* Mudando TTL do pacote para dar mais segurança */
TTL set to 255
231 22418 CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
0 0 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 multiport dports 20,21,80,443 mark match 0x0 state
NEW /* pacotes do squid via link1 */ MARK xset 0x1/0xffffffff
16 1224 CONNMARK all -- * * 0.0.0.0/0
0.0.0.0/0 mark match !0x0 CONNMARK save
Chain POSTROUTING (policy ACCEPT 363 packets, 37210 bytes)
pkts bytes target prot opt in out source
destination
181 15315 CONNMARK all -- * eth1 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
29 2149 MARK all -- * eth1 0.0.0.0/0
0.0.0.0/0 mark match 0x0 state NEW MARK xset 0x1/0xffffffff
181 15315 CONNMARK all -- * eth1 0.0.0.0/0
0.0.0.0/0 CONNMARK save
32 2188 CONNMARK all -- * eth2 0.0.0.0/0
0.0.0.0/0 CONNMARK restore
16 1252 MARK all -- * eth2 0.0.0.0/0
0.0.0.0/0 mark match 0x0 state NEW MARK xset 0x2/0xffffffff
32 2188 CONNMARK all -- * eth2 0.0.0.0/0
0.0.0.0/0 CONNMARK save
I would appreciate any help
thanks in advanced
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
