Hello, Scott Shambarger a écrit : > I have a multi-homed server, and have been routing packets selectively > between the public interfaces using iptables marking and iproute2 tables. [...] > With the setup below, bringing down either public interface results in > normal conntrack behavior (packets are correctly nat'd back to their > source). It may be a source validation issue, which is common in multihomed setups. If sysctl net.ipv4.conf.<input_interface>.rp_filter is set to 1, does setting it to 0 fix the problem ? [...] > And that's where the packet dissappears... it apparently has been seen by > conntrack, but fails to appear in the nat:PREROUTING chain. AFAIK, only the first NEW packet of a connection appears in the nat chains. Subsquent packets don't. If the packet does not appear in the FORWARD nor INPUT chain, chances are it was dropped at the routing decision stage, where source validation is performed. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
