On Thu, Sep 29, 2011 at 14:53, Andrew Beverley <andy@xxxxxxxxxxx> wrote: > On Thu, 2011-09-29 at 14:32 +0700, Pandu Poluan wrote: >> On Thu, Sep 29, 2011 at 13:51, Andrew Beverley <andy@xxxxxxxxxxx> wrote: >> > On Wed, 2011-09-28 at 23:20 +0100, Andrew Beverley wrote: >> >> Hi, >> >> >> >> I'd like to route locally generated traffic via a particular interface >> >> based on its mark value. >> >> >> >> From what I have researched, this is theoretically possible and lots of >> >> people have tried it, but nobody has got it working. >> >> >> >> Here's my rules: >> >> >> >> # Mark the packets >> >> iptables -A OUTPUT -t mangle -d 89.16.176.81 -j MARK --set-mark 0x800 >> >> >> >> # Route the marked packets via routing table T2: >> >> ip rule add fwmark 0x800/0xffff table T2 >> >> >> >> # Force T2 packets out of the interface ppp1 >> >> ip route add table T2 default dev ppp1 via 94.30.127.76 >> >> >> >> # Flush the cache, just in case >> >> ip route flush cache >> >> >> >> However, the packets still go out of the default route (ppp0). >> > >> > I've also added the following, which makes no difference: >> > >> > iptables -t nat -A POSTROUTING -o ppp1 \ >> > -j SNAT --to-source 109.224.134.110 >> > >> > >> >> Can you post the complete table, i.e., the output of iptables-save ? >> > > Thanks for that. After I added the SNAT rule, I forgot to remove an > existing earlier rule that was stopping the packets being marked. Your > email reminded me! > > So, the reason it wasn't working for me was the missing SNAT rule after > all. It now works correctly. > > Thanks, > You're welcome. That's why I now no longer write iptables commands directly on the shell. I keep my firewall rules in a file /etc/opt/firewall, and if I need to add new rules, I just do: `vi /etc/opt/firewall && iptables-restore < /etc/opt/firewall` (Of course, to seed the file I'd do `iptables-save > /etc/opt/firewall` ) This has the added benefit of allowing me to document all firewall changes by doing `hg commit` followed by `hg push` to a local Mercurial repository. (The reason why I put the rules in /etc/opt instead of /etc is so that I don't have to create an .hgignore file) Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ • LOPSA Member #15248 • Blog : http://pepoluan.tumblr.com • Linked-In : http://id.linkedin.com/in/pepoluan -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
