Le 31/03/2016 07:32, Perol.Chen a écrit :
Dear all: I start one vpn client on my computer, but I want my country's traffic direct from local interface, because the ip list is large, so I save them to ipset named chinaip. I use commands below split the traffic, 192.168.1.1 is local interface gateway, 10.7.0.2 is the vpn tun ip. id="11" ip rule add fwmark $id lookup $id ip route add default via 192.168.1.1 table $id iptables -t mangle -I OUTPUT 1 -m set --match-set chinaip dst -j MARK --set-mark $id iptables -t nat -A POSTROUTING -s 10.7.0.2 -o eth0 -j MASQUERADE wireshark show the traffic send to eth0, but the local process can not receive data. 128 5.583482000 192.168.1.118 180.149.134.141 TCP 74 33474 > http [SYN] Seq=0 Win=27840 Len=0 MSS=1392 SACK_PERM=1 TSval=17843425 TSecr=0 WS=128 129 5.586962000 180.149.134.141 192.168.1.118 TCP 66 http > 33474 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1448 SACK_PERM=1 WS=128 249 6.332233000 192.168.1.118 180.149.134.141 TCP 74 [TCP Retransmission] 33473 > http [SYN] Seq=0 Win=27840 Len=0 MSS=1392 SACK_PERM=1 TSval=17843613 TSecr=0 WS=128 250 6.335188000 180.149.134.141 192.168.1.118 TCP 66 [TCP Retransmission] http > 33473 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1448 SACK_PERM=1 WS=128 There are all TCP Retransmission, Are there something problems?
You probably need to disable rp_filter on eth0. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
