------=_Part_14383_598701.1211461948971
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Good day!
I'm getting trouble in policy routing on etch with linux-2.6.18-4-486
router
and dual network interface.
I want to make second MX for my domain on the same server as first, but on
another network interface from second ISP.
That is my firewall settings:
CSD is remote host
TEST1 is my server with MX
#INPUT
iptables -t mangle --append PREROUTING --protocol tcp --syn -m state
--state
NEW --source $CSD --dst $TEST1 --in-interface eth1 --jump CONNMARK
--set-mark 0x1
iptables -t mangle --append PREROUTING -m connmark --mark 0x1 --source
$CSD
--dst $TEST1 --in-interface eth1 --jump CONNMARK --restore-mark
iptables --append INPUT -m connmark --mark 0x1 --source $CSD --dst $TEST1
--in-interface eth1 --jump ACCEPT
# OUTPUT
iptables -t mangle --append OUTPUT -m connmark --mark 0x1 --source $TEST1
--dst $CSD --jump CONNMARK --restore-mark
iptables --append OUTPUT -m connmark --mark 0x1 --source $TEST1 --dst $CSD
--out-interface eth1 --jump ACCEPT
that is my ip settings:
GATE is my default gw for eth1 interface
ip route add $CSD dev eth1 table ytk
ip route add default via $GATE dev eth1 table ytk
/sbin/ip rule add fwmark 0x1 table ytk
The result is:
iptables INPUT rules p***** well, but output rules fails, because packets
wanted to get out through eth0.
May 22 16:18:09 test kernel: marked output finded IN= OUT=eth0 SRC=$TEST1
DST=$CSD LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=22
DPT=3029
WINDOW=5792 RES=0x00 ACK SYN URGP=0
I googled this quiestion last 3 days and i have unsuccessful result.
Where is mistake and why packets, marked as 0x1 doesn't goes through eth1?
Anybody has any ideas about this question?
Thanks in advance.
------=_Part_14383_598701.1211461948971
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Good day!<br>I'm getting trouble in policy routing on etch with
linux-2.6.18-4-486 router and dual network interface.<br>I want to make
second MX for my domain on the same server as first, but on another
network interface from second ISP.<br>
That is my firewall settings:<br>CSD is remote host<br>TEST1 is my server
with MX<br><br>#INPUT<br>iptables -t mangle --append PREROUTING --protocol
tcp --syn -m state --state NEW --source $CSD --dst $TEST1 --in-interface
eth1 --jump CONNMARK --set-mark 0x1<br>
iptables -t mangle --append PREROUTING -m connmark --mark 0x1 --source
$CSD --dst $TEST1 --in-interface eth1 --jump CONNMARK
--restore-mark<br>iptables --append INPUT -m connmark --mark 0x1 --source
$CSD --dst $TEST1 --in-interface eth1 --jump ACCEPT<br>
<br># OUTPUT<br>iptables -t mangle --append OUTPUT -m connmark --mark 0x1
--source $TEST1 --dst $CSD --jump CONNMARK --restore-mark<br>iptables
--append OUTPUT -m connmark --mark 0x1 --source $TEST1 --dst $CSD
--out-interface eth1 --jump ACCEPT<br>
<br><br>that is my ip settings:<br>GATE is my default gw for eth1
interface<br><br>ip route add $CSD dev eth1 table ytk<br>ip route add
default via $GATE dev eth1 table ytk<br>/sbin/ip rule add fwmark 0x1 table
ytk<br><br>
The result is:<br>iptables INPUT rules p***** well, but output rules
fails, because packets wanted to get out through eth0.<br>May 22 16:18:09
test kernel: marked output finded IN= OUT=eth0
SRC=$TEST1 DST=$CSD LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP
SPT=22 DPT=3029 WINDOW=5792 RES=0x00 ACK SYN URGP=0<br>
<br>I googled this quiestion last 3 days and i have unsuccessful
result.<br>Where is mistake and why packets, marked as 0x1 doesn't
goes through eth1?<br>Anybody has any ideas about this question?<br>Thanks
in advance.<br>
------=_Part_14383_598701.1211461948971--
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@[EMAIL PROTECTED]
a subject of "unsubscribe". Trouble? Contact
listmaster@[EMAIL PROTECTED]
|
