From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Samad Date: Fri, 02 Mar 2007 18:39:13 +0000 Subject: Re: [LARTC] DNAT and Load Balancing Message-Id: <20070302183913.GL17130@samad.com.au> MIME-Version: 1 Content-Type: multipart/mixed; boundary="===============1002191762==" List-Id: References: <45E76E18.4080201@gmail.com> In-Reply-To: <45E76E18.4080201@gmail.com> To: lartc@vger.kernel.org --===============1002191762== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="j13PAD5Nz8dz2ik7" Content-Disposition: inline --j13PAD5Nz8dz2ik7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 02, 2007 at 07:34:34PM +0100, francesco messineo wrote: > I solved this exact problem (with incoming connections on three > different adsl) markin packets on PREROUTING chain. Obviously with > three different routing tables. >=20 > # incoming connections for DNAT to DMZ need to be marked here in PREROUTI= NG > iptables -t mangle -N mymark > iptables -t mangle -F mymark > # first of all RETURN for "local" interfaces > iptables -t mangle -A mymark -i $E0_IF -j RETURN > iptables -t mangle -A mymark -i $DMZ_IF -j RETURN > iptables -t mangle -A mymark -i $VPN_IF -j RETURN > # then mark and save incoming connections from the external universe > iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M > iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M > iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M > iptables -t mangle -A mymark -j CONNMARK --save-mark >=20 > #restore mark before ROUTING decision > iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark >=20 > # non marked incoming connections need to be marked (DNAT to DMZ only) > iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark >=20 Hi i know there was a thread on this methiod earlier, but has somebody put up a howto, or a wiki page on it ? alex --j13PAD5Nz8dz2ik7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF6G9RkZz88chpJ2MRAurxAKDJ8CetMHvRMxrPTUeeA0hCP4S6MgCbBJ2T RBg7/tgQheeSjiWimVAV7QA= =VXsp -----END PGP SIGNATURE----- --j13PAD5Nz8dz2ik7-- --===============1002191762== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc --===============1002191762==--