Hello, I have a host with three Internet connections with 265 public IP addresses in total (3 separate ranges). I use `ip rule from XXX table YYY' to ensure that the correct interface is used when going out or replying from the host. Table YYY has a different default route (there are three tables including main). I also have a few NATed hosts behind this host which serve various protocols (tcp/25, tcp/80, ...) on all of those IP addresses. I use mark/save-mark PREROUTING for this, as I do not want them to have multiple addresses, just one private associated to N of the 265 public addresses, N from 1 to 3 in general. Everything works like a charm: netfilter is really great ... except something: I noticed that fail2ban uses -j REJECT --reject-with icmp-port-unreachable. Unfortunately, if the TCP SYN comes on tun0 (YYY default route), the ICMP error reply goes to eth1 (main's default route). And that upstream has an anti-spoofing policy (no triangular routing, which is good). Should I deduct that ICMP error replies will never abide by `ip rule from' rules and will always be sent to the default route, and not to the interface the packet in error came from ? Is there a work-around, except using DROP instead of REJECT ? Thank you!
