Thanks, it works when I set rp_filter on eth0 0 or 2. On Thu, Mar 31, 2016 at 8:23 PM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: > Le 31/03/2016 07:32, Perol.Chen a écrit : >> >> Dear all: >> >> I start one vpn client on my computer, but I want my country's traffic >> direct from local interface, >> >> because the ip list is large, so I save them to ipset named chinaip. >> >> I use commands below split the traffic, 192.168.1.1 is local interface >> gateway, 10.7.0.2 is the vpn tun ip. >> >> >> id="11" >> ip rule add fwmark $id lookup $id >> ip route add default via 192.168.1.1 table $id >> iptables -t mangle -I OUTPUT 1 -m set --match-set chinaip dst -j MARK >> --set-mark $id >> iptables -t nat -A POSTROUTING -s 10.7.0.2 -o eth0 -j MASQUERADE >> >> >> wireshark show the traffic send to eth0, but the local process can not >> receive data. >> >> 128 5.583482000 192.168.1.118 180.149.134.141 TCP 74 >> 33474 > http [SYN] Seq=0 Win=27840 Len=0 MSS=1392 SACK_PERM=1 >> TSval=17843425 TSecr=0 WS=128 >> >> 129 5.586962000 180.149.134.141 192.168.1.118 TCP 66 >> http > 33474 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1448 >> SACK_PERM=1 WS=128 >> >> 249 6.332233000 192.168.1.118 180.149.134.141 TCP 74 >> [TCP Retransmission] 33473 > http [SYN] Seq=0 Win=27840 Len=0 MSS=1392 >> SACK_PERM=1 TSval=17843613 TSecr=0 WS=128 >> >> 250 6.335188000 180.149.134.141 192.168.1.118 TCP 66 >> [TCP Retransmission] http > 33473 [SYN, ACK] Seq=0 Ack=1 Win=14600 >> Len=0 MSS=1448 SACK_PERM=1 WS=128 >> >> There are all TCP Retransmission, Are there something problems? > > > You probably need to disable rp_filter on eth0. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
