From mboxrd@z Thu Jan 1 00:00:00 1970 From: Sebastian Bleikamp Date: Sat, 31 Aug 2002 19:47:57 +0000 Subject: Re: [LARTC] Splitting locally generated traffic based on destination port Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Arthur Donkers wrote: > My question now is how to define a policy so specific traffic, generated > locally by sendmail and ssh, uses eth0 as its interface in stead of eth1 > which is used for the default route ? >=20 > I already mark outgoing traffic in the mangle table thus > iptables -A OUTPUT -t mangle -p tcp --dport 25 -j MARK --set-mark 1 > I have to SNAT outgoing traffic as well: > iptables -A POSTROUTING -t nat -m mark --mark 1 -j SNAT --to-source > I have added a table mail.out to /etc/iproute2/rt_tables and defined rules > like this: > ip rule add fwmark 1 table mail.out > ip route add default via dev eth0 src > > And when I do this: > telnet 25 >=20 > I indeed see a SYN packet coming out of eth0 to , and a SYN/ACK > packet comes back. The problem is that it appears that the Linux box does > not see this SYN/ACK packet and resends the SYN packet after a few > seconds, which again is answered by a SYN/ACK and this goes on a few > times. No other packet filters are active on the Linux box (yet). Hello Arthur, I=B4m not a professional in routing, but I think I=B4ve read something abou= t=20 the routing mechanism: Packet ---> Table PREROUTING -+-> Table FORWARD -+-> Table POSTROUTING | | (and then out) +-> Table INCOMING | | Table OUTGOING -+ The problem is, that the routing decision is done AFTER processing the=20 forward table, but BEFORE the postrouting table (NAT). So it is possible=20 to modify the packets in POSTROUTING that way, that they will go out via=20 device A, but have the ip of the other device B. If the "answer" packet comes in at A (but are addressed to B), the=20 address will be checked and device A drops (/does not listen to) them.=20 ("Hey, that packet is not for me !"). Possible unclean variant to fix that would be to put device A in the so=20 called "promisc" (promiscueing ?) mode, where all packets are processed. Clean variant is _not_ to do NAT by the filter. Make the _routing_=20 decision depending on the filter. And NAT is done afterwards based on=20 the routing. Hope I told not too much wrong, Sebastian -=3D> Sebastian Bleikamp -=3D> EMail: -=3D> Phone: +49-172-6545394 _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/