From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter Rabbitson Date: Fri, 15 Jun 2007 06:00:57 +0000 Subject: Re: [LARTC] Re: multiple routing tables for internal router programs Message-Id: <46722B19.40601@rabbit.us> List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Salim S I wrote: > > NATing is done with MASQUERADE, not SNAT, I use another MARK for it, but > in essence it is > -o eth2 -j MASQUEARDE > -o eth3 -j MASQUEARDE > > In addition, there are several other MARKs for policy routing. They have > their own routing tables also. But at present, they are all empty. > This is the part I definitely do not like. First of all - wht SNAT/MASQUERADE _all_ traffic? You should do this for forwarder traffic only. Like so: iptables -t nat -A POSTROUTING -s 10.0.58.0/24 -j SOURCE_NAT iptables -t nat -A POSTROUTING -s 192.168.58.0/24 -j SOURCE_NAT iptables -t nat -A POSTROUTING -s 192.168.8.0/24 -j SOURCE_NAT iptables -t nat -A SOURCE_NAT -o $EXTCH -j SNAT --to $EXTCH_IP iptables -t nat -A SOURCE_NAT -o $EXTCB -j SNAT --to $EXTCB_IP Also you mention that there are "other marks" , which means that you might very well be overwriting marks as you go. A packet/connection can have only _one_ mark value at any time, no more no less (a 0x0 is still a mark) HTH _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc