From: Gordan Bobic <lartc@bobich.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] Multihomed Masquerading, routing and iptables
Date: Tue, 06 Jan 2004 09:25:04 +0000 [thread overview]
Message-ID: <200401060924.42879.gordan@bobich.net> (raw)
In-Reply-To: <200312311649.36278.lartc@bobich.net>
On Tuesday 06 Jan 2004 01:49, Rio Martin wrote:
> > > > > Hmm. Just replace -j MASQUERADE with -j SNAT? Will that not break
> > > > > other things?
> > > >
> > > > -j SNAT your_ip
> > >
> > > Or rather -j SNAT --to-source your_ip. I get it. I'll check if that
> > > works better than masquerading.
> >
> > Just tried it - no difference. Packets still come out with source IP
> > address not matching the interface. :-(
>
> Try it switch manually, first you set up without iproute. Remove all the
> tables you have created and flush it. Try with ISP1 first. Do SNAT --to
> ip.of.ISP1
> Is it work? Okay, now switch to the ISP2. Do SNAT --to ip.of.ISP2.
> It should be work, otherwise something wrong with the kernel or iptables
> you had on your machine.
>
> Finish this step first, report back to the list.
If one of the default routes is removed, everything works OK. However, if
there are two default routes, packets get misdirected. ChangeLog for 2.4.21
lists a few conntrack bug fixes, which I suspect to be the cause of this.
Basically, the non-deterministic default route selection/rotation seems to
take precedence over maintaining the same interface for serving a particular
established connection through the firewall.
I'm compiling a new clean 2.4.24 with the jumbo routes patch at the moment,
which will hopefully fix things. I'm hoping to try it out tonight. And BTW,
the latest RH9 kernel released yesterday (2.4.20-28.9 IIRC), is still broken
as far as routing is concerned.
Gordan
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
next prev parent reply other threads:[~2004-01-06 9:25 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-31 16:49 [LARTC] Multihomed Masquerading, routing and iptables Gordan Bobic
2004-01-05 2:04 ` Rio Martin
2004-01-05 2:55 ` Rio Martin
2004-01-05 11:17 ` Gordan Bobic
2004-01-05 11:28 ` Artūras Šlajus
2004-01-05 11:54 ` Gordan Bobic
2004-01-05 12:06 ` Gordan Bobic
2004-01-05 20:32 ` andybr
2004-01-05 21:43 ` Gordan Bobic
2004-01-06 1:49 ` Rio Martin
2004-01-06 9:25 ` Gordan Bobic [this message]
2004-01-06 16:57 ` R. Steve McKown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200401060924.42879.gordan@bobich.net \
--to=lartc@bobich.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.