Re: conntrack ctstate - multiple ISP links

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter <netfilter@vger.kernel.org>
Subject: Re: conntrack ctstate - multiple ISP links
Date: Thu, 04 Oct 2007 15:58:24 +0200	[thread overview]
Message-ID: <4704F180.5000200@plouf.fr.eu.org> (raw)
In-Reply-To: <4704EB43.2000902@darkstar.nom.za>

[Please send your reply on the list so everyone can see it]

Paulo Andre a écrit :
>>
>>> Apparently I need this to get multiple isp links working correctly on 
>>> a FW. Packets entering interface eth2/eth3 all still leaving eth1, 
>>> default GW.
>>
>> Can you elaborate ?
> 
> The incoming packets are not leaving out of the correct interfaces, 
> someone else has suggested that I need to use iptables as below:
> 
> iptables -t mangle -N alreadyestablished
> iptables -t mangle -A alreadyestablished -j CONNMARK --restore-mark
> 
> iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j 
> alreadyestablished
> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth1 -j 
> CONNMARK --set-mark 11
> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth2 -j 
> CONNMARK --set-mark 12
> 
> and then iproute2 to route based on the 'mark'.
> Would this be the correct solution?

The principle is correct.

> I am trying to get ctstate working so that I can test this

The syntax is wrong. The correct syntax is "-m conntrack --ctstate NEW".
Besides, this just does the same as "-m state --state NEW".

next prev parent reply	other threads:[~2007-10-04 13:58 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-04  8:29 conntrack ctstate - multiple ISP links Paulo Andre
2007-10-04 10:33 ` Pascal Hambourg
     [not found]   ` <4704EB43.2000902@darkstar.nom.za>
2007-10-04 13:58     ` Pascal Hambourg [this message]
2007-10-04 14:53       ` Paulo Andre

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4704F180.5000200@plouf.fr.eu.org \
    --to=pascal.mail@plouf.fr.eu.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox