Re: [LARTC] Problems with Routing and Masquerading

[Vinod Chandran <vinod_chandran@multitech.co.in>]

Hi,

Thanks Jason for the solution. With CONNMARK, I was able to route the 
packets properly.

Yeah, the problem was seen only for SSH sessions, I didnot see the 
problem with the Telnet and Ping sessions. TOS could be the answer to that.

The only change I had to do as far the CONNMARK solution was that in the 
PREROUTING chain, I had to add the rule with "-i eth0" where eth0 is my 
LAN, otherwise the return packets were not reaching the box in LAN.

Thanks and Regards,
Vinod C


Raj Mathur wrote:

>>>>>>"Jason" = Jason Boxman <jasonb@edseek.com> writes:
>>>>>>            
>>>>>>
>
>    Jason> Luciano Ruete wrote: <snip>
>    >> Besides that, you need to solve the problems that multipath
>    >> will arise, like TOS situation described above or route cache
>    >> expiration, that could made long term conns to be routed over a
>    >> new iface.  The solutions i know are CONNMARK(kernel>=2.6.12)
>    >> and julian's patches[1].  Personally i prefer CONNMARK.
>
>    Jason> Could you elaborate a little more on the CONNMARK method?
>
>I second that motion -- not too clear on the interaction between SNAT,
>multiple interfaces, multiple default routes and CONNMARK </aol
>mode="metoo">.  If someone could take out the time to make a complete
>example with (say) 2 outgoing interfaces, I promise a small GPL script
>in exchange which would automate the whole process.
>
>Actually the script's already made, but it doesn't use CONNMARK and
>suffers from the problems Jason describes and as documented in:
>
>  http://mailman.ds9a.nl/pipermail/lartc/2006q1/018220.html
>
>Regards,
>
>-- Raju
>  
>

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc