From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] port-mapping with 2 isps
Date: Thu, 24 Apr 2003 00:26:37 +0000 [thread overview]
Message-ID: <marc-lartc-105114406406053@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105113992702879@msgid-missing>
[ Diego; I figured others would be interested in this answer, so I am
copying the list. ]
: > See the thread which starts here:
: >
: > http://mailman.ds9a.nl/pipermail/lartc/2003q2/007952.html
: >
: > And the magic happens here:
: >
: > http://mailman.ds9a.nl/pipermail/lartc/2003q2/008090.html
:
: thanks a lot! maybe i can now see some light on this problem :)
:
: i was thinking in mark'ing the output packet on the host server (with
: the same mark i'm using on the router box to route through the
: non-default gw) if i understood correctly, this is what has been done
: on the example below ...
Not quite (if I understand your explanation). First and foremost, the
fwmark is packet meta-data which does not survive once the packet leaves a
router.
The cleverness of the solution is to take advantage of the connection
tracking mechanism (which keeps state), to set an fwmark on a packet as
soon as the packet enters the machine.
Now your stateless IP routing mechanism (FIB || RPDB + routing tables)
makes a decision based on the packet and the meta-data (fwmark).
: iptables -t mangle -I PREROUTING -m conntrack --ctstate DNAT \
: --ctorigdst eee.fff.ggg.11 -j MARK --set-mark 2
:
: ip rule add fwmark 2 table T2
:
: but yet i don't understand why rp_filter should be turned off...
rp_filter (reverse path filtering) described:
http://ipsysctl-tutorial.frozentux.net/ipsysctl-tutorial.html#AEN616
rp_filter is a sysctl which tells your linux box to take some
anti-spoofing measures. Naturally, this anti-spoofing technique works to
your disadvantage if you wish to be able to reach a particular network (in
this case 0/0) through multiple interfaces. So, if you don't want the
kernel happily throwing away packets arriving on unexpected interfaces,
simply put a lightweight zero in rp_filter.
-Martin
--
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
prev parent reply other threads:[~2003-04-24 0:26 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-23 23:17 [LARTC] port-mapping with 2 isps Diego Torres
2003-04-23 23:29 ` Martin A. Brown
2003-04-24 0:26 ` Martin A. Brown [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-105114406406053@msgid-missing \
--to=mabrown-lartc@securepipe.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.