On Wed, Jan 25, 2012 at 04:33:50PM +0700, gapsf@xxxxxxxxx wrote: > No. You should use "Policy routing" with MARK target in iptables. > > Mark outgoing DNS packets with iptables in mangle PREOROUTING for example. > # iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 0x4 > > Create additional routing table with different routing rules. > Add new entry in /etc/iproute2/rt_tables > ========================================= > # > # reserved values > # > 255 local > 254 main > 253 default > 0 unspec > # > # local > # > #1 inr.ruhep > 1 isp2 # <- new entry > ========================================= > > Then execute > # ip route flush table isp2 > and add defalt route into newly created table > # route add default via <ip_of_your_eth2_gateway> dev eth2 table isp2 > > Add new policy in RPDB. > # ip rule add from all fwmark 0x4 table isp2 Consider adding a preference/priority to your rule(s) to avoid potential future headaches > > Check RPDB > # ip rule show > You should view somthing like this: > 0: from all lookup local > 32763: from all fwmark 0x4 lookup isp2 > 32766: from all lookup main > 32767: from all lookup default > > In result: all traffic routed with main routing table, except marked DNS traffic routed > via "isp2" routing table via its default route and iface. > View picture http://postimage.org/image/nn9owf5x7/ for example. > > NG> Hi .. > > NG> I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ? > > NG> Block the output DNS traffic on eth0 interface. > > NG> iptables -A FORWARD -p udp -o eth0 --dport 53 -j DROP > > NG> Forward output DNS traffic from eth1 interface > > NG> iptables -A FORWARD -p udp -o eth1 --dport 53 -j ACCEPT > > > NG> Thanks > NG> Ganesh > > > NG> -- > NG> To unsubscribe from this list: send the line "unsubscribe netfilter" in > NG> the body of a message to majordomo@xxxxxxxxxxxxxxx > NG> More majordomo info at http://vger.kernel.org/majordomo-info.html > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
