On Mar 28 2007 14:21, Ray Leach wrote:
>
>The problem was that reverse path filtering had to be enabled on the
>eth4 interface. All my other interfaces have reverse path filtering
>disabled, so what's the difference with this one?
I suspect something, hence please try
>> > >iptables -A FORWARD -i eth0 -p tcp --dport 80 -s 10.0.0.3 -j ACCEPT
>> > >iptables -A FORWARD -i eth4 -p tcp --sport 80 -d 10.0.0.3 -j ACCEPT
>> > >
>> > >iptables -A FORWARD -t mangle -p tcp --dport 80 -s 10.0.0.3 -j MARK
>> > >--set-mark 0x4
iptables -t mangle -A PREROUTING/FORWARD -i eth4 -p tcp --sport 80 -d 10.0.0.3
-j MARK --set-mark 0x4
with rp_filter=1 again.
I believe the reverse route stuff does not get it, because return packets are
not marked. Or, I'd also suggest
iptables -t mangle -A FORWARD -m conntrack --ctstate NEW
-s 10.0.0.3 -p tcp --dport 80 -j CONNMARK --set-mark 4;
iptables -t mangle -A FORWARD -j CONNMARK --restore-mark;
(Or use nat's PREROUTING for the initial CONNMARK - many ways of doing things)
Jan
--
|