Hi David, Thanks a lot for the tip! It worked like a charm after changing the rp_filter parameter. What are the downsides of having it turned off? Thanks! 2010/6/11 David Favro <netfilter@xxxxxxxxxxxxxxxx>: > John Lister wrote: >> >> I suspect you need to save the mark in the conntrack table so that it is >> applied to every related packet - I've got a similar configuration except I >> route out of multiple interfaces depending upon load and took a while to get >> working reliably. > > You shouldn't need to use CONNMARK because all of the outbound packets will > have the same destination port and thus get marked by MARK, and the inbound > packets don't typically need to get marked for a special routing table; > however it might be a good idea to use CONNMARK anyhow, it may help with > reverse-path filtering -- but alternatively, I would recommend turning RPF > off anyhow: > echo "2" > /proc/sys/net/ipv4/conf/bnep0/rp_filter > Also, > echo "1" > /proc/sys/net/ipv4/conf/bnep0/log_martians > You can then check your kernel log to see if reverse-path filtering is > causing you problems, which is a good possibility. If you see martian > packets in your log after setting rp_filter for the interface to 2 per above > (but you shouldn't), then you could RPF entirely: > echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter > echo "0" > /proc/sys/net/ipv4/conf/bnep0/rp_filter > ... but I don't think that should be needed. > > Also check your filter rules in iptables, are you explicitly dropping the > packets? > >> Diego Lima wrote: >>> >>> 1 - Edit /etc/iproute2/rt_tables and add this: >>> 10 bluez >>> >>> 2 - Add the route and rule: >>> # ip route add via 192.168.21.1 dev bnep0 table bluez >>> # ip rule add fwmark 10 lookup bluez >>> >>> 3 - Add the iptables rules: >>> iptables -t mangle -I PREROUTING -i wlan0 -s 192.168.0.0/24 -p tcp -m >>> multiport --dports 80,443,8080 -j MARK --set-mark 10 >>> iptables -t nat -I POSTROUTING ! -o lo -j MASQUERADE > > Your masquerading looks to me to be overly aggressive, why masquerade > packets going out to wlan0? > iptables -t nat -A POSTROUTING -o bnep0 -j MASQUERADE > > If you have externally-originated incoming connections on bnep0 (I guess > not, your message sounds like all of your traffic on bnep0 is connections > that are originating from the LAN) -- but if so, you need more routing rules > or iptables fwmark to make sure than inbound connections from bnep0 go back > out through bnep0. > > Hope that helps, > -- David > > -- Diego Lima -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
