From: Alistair Tonner <Alistair@nerdnet.ca>
To: netfilter@lists.netfilter.org
Subject: Re: Dual ISPs - controlled path for certain ports - ip route 2 balancing for others
Date: Thu, 23 Sep 2004 09:18:41 -0400 [thread overview]
Message-ID: <200409230918.41588.Alistair@nerdnet.ca> (raw)
In-Reply-To: <4152987C.90100@fastwebnet.it>
On September 23, 2004 05:33 am, Primero wrote:
> Alistair Tonner wrote:
> > I'm wondering if
> > there are rules I can use (consider that the webserver/mailserver and FTP
> > server are sadly on the firewall at the moment) to force the servers to
> > reply via the DSL or internal lan only, even if the default route points
> > at the cable link? (this would be a quick and dirty solution for me) --
> > the cablelink will have to shortly support a VPN tunnel back to work.
>
> i was using Iproute2 like u until a day i decided to "man iptables" ....
>
> i've found in EXTENSIONS TARGET section:
>
> ....
> ROUTE
>
> --continue
> Behave like a non-terminating target and continue
> traversing the rules. Not valid in combination with `--iif'
> ....
>
> this way u can use a normal matching syntax of iptables and change the
> routing decision about the "interesting traffic".
> I hope it works since i had no time yet to try it out ... let us know :)
>
*thwacks* self in head -- yes .. I've noted this in the past myself.. .but it
had just wandered off into space ... thanks ... I've just recompiled the
kernel ... the reason it wandered was that ROUTE is NOT in most default
kernel configs, its in patch-o-matic. I'm running gentoo which does NOT have
any consistent method of pulling in patch-o-matic. POM on gentoo takes some
more work than normal, but I've got patched in and up and runnng.
Further question to the list. Consider that I'm using iproute2 to share the
connection to two different ISP's, and I want specific traffic from my
internal network to only go out one interface. Where in mangle would I put
these rules?
For the moment I'm trying this by putting them in PREROUTING since I'd want
the oif to OVERRIDE routing decisions -- I have my SNAT rules in place based
on output interface, but perhaps my logic is wrong ... Has anyone done this
yet or am I headed for experimental territory??
*grins*
Alistair Tonner
Rogers Shared Operations,
Senior Operational Analyst,
(soon to be junior HP/UX os support)
prev parent reply other threads:[~2004-09-23 13:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-22 17:15 Dual ISPs - controlled path for certain ports - ip route 2 balancing for others Alistair Tonner
2004-09-23 9:33 ` Primero
2004-09-23 13:18 ` Alistair Tonner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200409230918.41588.Alistair@nerdnet.ca \
--to=alistair@nerdnet.ca \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox