From: Taylor Grant <gtaylor@riverviewtech.net>
To: Greg Cope <gregcope@gmail.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: How to make a mutli-homed host use one IP for a NAT'ed host
Date: Thu, 21 Apr 2005 09:53:29 -0500 [thread overview]
Message-ID: <4267BE69.6080203@riverviewtech.net> (raw)
In-Reply-To: <c0e9781f0504210718566c4025@mail.gmail.com>
> Hi all,
>
> Hum... not quite working for me yet, nearlt there but I get the error:
>
> "MARK: can only be called from "mangle" table, not "nat""
>
> So I used:
>
> iptables -A PREROUTING -i eth0 -t mangle -s $DMZ_HOST_IP -p tcp
> --dport 25 -j MARK --set-mark 2
Sorry, my mistake. It was late at night after a long day. :(
> Q: Is eth0 correct as this is the red/ INET IFACE and not the DMZ dev
> IFACE (that would be eth1)
No. I think you should use eth1 in your IPTables rule as you are looking to mark the traffic that is coming back to the router / firewall from the DMZ/SMTP server that is outbound to the world. Basically you want to mark the SMTP server's returning traffic as a control handle that you can look for with an IPRoute2 rule so that the routing core can decide what routing table to use to send the traffic back out to the world.
> And then:
>
> ip route add table $IPROUTE2_SMTP_TABLE dev $INET_IFACE src $MAIL_INET_ALIAS
> ip route add table $IPROUTE2_SMTP_TABLE default via $INET_IP
> ip rule add fwmark $SMTP_MARK table $IPROUTE2_SMTP_TABLE
>
> Where $SMTP_MARK=2 and IPROUTE2_SMTP_TABLE=smtp.out
>
> I have "echo 25 smtp.out >> /etc/iproute2/rt_tables"
>
> Packets still come from the "wrong" ip address
>
> Any suggestions.
>
> Thanks.
>
> Greg
Try changing your eth0 to eth1 in your IPTables mark rule. Other than that (and my snafu about the wrong table) I think your set up should work just fine. I feel like you are very close to having what you want set up and working. :)
Grant. . . .
next prev parent reply other threads:[~2005-04-21 14:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-21 6:52 How to make a mutli-homed host use one IP for a NAT'ed host Greg Cope
2005-04-21 7:17 ` Taylor Grant
[not found] ` <c0e9781f05042102544437b319@mail.gmail.com>
2005-04-21 14:18 ` Greg Cope
2005-04-21 14:53 ` Taylor Grant [this message]
2005-04-21 15:12 ` Greg Cope
2005-04-21 18:13 ` Taylor, Grant
2005-04-21 19:07 ` Greg Cope
2005-04-21 19:21 ` Taylor, Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4267BE69.6080203@riverviewtech.net \
--to=gtaylor@riverviewtech.net \
--cc=gregcope@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox