Re: iptables NAT routing issues

NetFilter

Re: iptables NAT routing issues

To:	Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
Subject:	Re: iptables NAT routing issues
From:	Bas Verhoeven <netfilter@bserved.nl>
Date:	Thu, 10 May 2007 22:06:00 +0200
Cc:	netfilter@lists.netfilter.org
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	netfilter-list1@securepoint.com
In-reply-to:	<464372FE.1070802@plouf.fr.eu.org>
List-archive:	</pipermail/netfilter>
List-help:	<mailto:netfilter-request@lists.netfilter.org?subject=help>
List-id:	General discussion and user questions <netfilter.lists.netfilter.org>
List-post:	<mailto:netfilter@lists.netfilter.org>
List-subscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
List-unsubscribe:	<https://lists.netfilter.org/mailman/listinfo/netfilter>, <mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
References:	<4640E893.1010206@bserved.nl> <Pine.LNX.4.61.0705090024450.2342@yvahk01.tjqt.qr> <4640FAD0.9050301@plouf.fr.eu.org> <Pine.LNX.4.61.0705090036060.2342@yvahk01.tjqt.qr> <4640FDA9.5000706@bserved.nl> <464101DA.4070102@plouf.fr.eu.org> <46432A84.2010409@bserved.nl> <464372FE.1070802@plouf.fr.eu.org>
Sender:	netfilter-bounces@lists.netfilter.org
User-agent:	Thunderbird 2.0.0.0 (Windows/20070326)

Pascal Hambourg wrote:

Which option did you choose ?

We still have the outbound server DNAT-ing connections to thewebserver's ip, that worked fine.

On the webserver we now mark all outgoing web packets:

# iptables -t mangle -A OUTPUT -s <webserver_inner_ip> -p tcp --sport 80-j MARK --set-mark 2


And we use iproute2 to forward them back to the outbound server:

# ip rule add fwmark 2 pref 10 table web.out
# ip route add default via <outbound_box_ip> dev eth0 table web.out

Couldn't test with CONNMARK, as the box doesn't ship with that, but MARKworks great for now.

I did test your last option too, but that just didn't work and soundedvery hacky-ish, not something we could rely on, even if it worked.

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
iptables NAT routing issues, Bas Verhoeven Re: iptables NAT routing issues, Maximilian Wilhelm Re: iptables NAT routing issues, Jan Engelhardt Re: iptables NAT routing issues, Pascal Hambourg Re: iptables NAT routing issues, Jan Engelhardt Re: iptables NAT routing issues, Bas Verhoeven Re: iptables NAT routing issues, Pascal Hambourg Re: iptables NAT routing issues, Bas Verhoeven Re: iptables NAT routing issues, Pascal Hambourg Re: iptables NAT routing issues, Bas Verhoeven <= Re: iptables NAT routing issues, Pascal Hambourg Re: iptables NAT routing issues, Maximilian Wilhelm

Previous by Date:	Re: delete NAT conntrack entry., Jan Engelhardt
Next by Date:	Re: delete NAT conntrack entry., Jan Engelhardt
Previous by Thread:	Re: iptables NAT routing issues, Pascal Hambourg
Next by Thread:	Re: iptables NAT routing issues, Pascal Hambourg
Indexes:	[Date] [Thread] [Top] [All Lists]