From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@vger.kernel.org
Subject: Re: can't port forward on multihome
Date: Mon, 29 Dec 2008 12:24:23 +0100 [thread overview]
Message-ID: <4958B367.8060308@plouf.fr.eu.org> (raw)
In-Reply-To: <gj8reg$bq3$1@ger.gmane.org>
sean darcy a écrit :
> sean darcy wrote:
>> Pascal Hambourg wrote:
>>>
>>> As you used DNAT, you may use the --ctorigdst option of the
>>> 'conntrack' match and mark reply packets based on the original
>>> destination address of the connection.
>>>
>>> iptables -t mangle -A PREROUTING -i eth1 \
>>> -m connmark --ctorigdst $ETH0_IP_ADDR -j MARK --set-mark 0x1
>>> ip rule add fwmark 0x1 table 128 prio 127
[...]
>> As you can see ctorigdst didn't work with iptables in fedora 9:
>>
>> iptables v1.4.1.1: Unknown arg `--ctorigdst`
My mistake, I meant "-m conntrack", not "-m connmark".
>> Also, I see you set the new ip rule with priority 127. Am I right that
>> higher priority numbers override lower priority number in case of a
>> conflict? Or does it determine the order in which rules are applied,
>> smaller numbers first?
Rules with a lower priority number are examined first. I set a different
priority because I thought there could be only one rule per priority,
but I was wrong. However I don't know in which order rules with the same
priority are examined, so setting different priorities may be safer if
the rule ordering matters.
> ## this should make all packets from the * server go out over broadview
> iptables -t mangle -A PREROUTING -i eth1 \
> -s 10.10.10.180 -j MARK --set-mark 0x1
> ip rule add fwmark 0x1 table 128 prio 127
>
> adding this work fine I can ssh and make voip connections to the voip
> server.
>
> But if add this, I can no longer make a voip connection to the voip server.
>
> ## this is supposed to make all packets replying to eth0
> ## go out eth0
> iptables -t mangle -A PREROUTING -i eth0 -m state --state NEW \
> -j CONNMARK --set-mark 0x1
> iptables -t mangle -A PREROUTING -i eth1 -j CONNMARK --restore-mark
Which VoIP protocol are you using ? If it is SIP or H.323, are the
corresponding conntrack and NAT helper modules loaded ? I believe they
are required so that the connection tracking can set the connection mark
to the related voice traffic.
prev parent reply other threads:[~2008-12-29 11:24 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-19 20:38 can't port forward on multihome sean darcy
2008-12-20 11:06 ` Pascal Hambourg
2008-12-28 20:53 ` sean darcy
2008-12-28 21:35 ` sean darcy
2008-12-29 11:24 ` Pascal Hambourg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4958B367.8060308@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.