Re: two gateways with one NIC

Mon, 09 Apr 2007 08:57:06 -0700 

On Mon, 2007-04-09 at 10:54 -0400, Lennart Sorensen wrote:
> On Sun, Apr 08, 2007 at 08:29:07PM +0100, W Agtail wrote:
> > This is what I'm trying to achieve with the following iptables/iproute2
> > configuration on both web servers:
> > 
> > iptables -t mangle -A PREROUTING -p tcp --dport 8088 -i eth0 -j LOG
> > --log-prefix "fwmark 1: "
> > iptables -t mangle -A PREROUTING -p tcp --dport 8089 -i eth0 -j LOG
> > --log-prefix "fwmark 2: "
> > 
> > iptables -t mangle -A PREROUTING -p tcp --dport 8088 -i eth0 -j MARK
> > --set-mark 1
> > iptables -t mangle -A PREROUTING -p tcp --dport 8089 -i eth0 -j MARK
> > --set-mark 2
> 
> You are supposed to mangle things _coming_ from port 8088 and 8089.
> After all it is the replies you are trying to affect, not the requests.
> So it should be the --sport not --dport.  And of course outbound not
> incoming on eth0.
> 
> > iptables -t mangle -A PREROUTING -m mark --mark 1 -j LOG --log-prefix
> > "marked 1: "
> > iptables -t mangle -A PREROUTING -m mark --mark 2 -j LOG --log-prefix
> > "marked 2: "
> > 
> > ip route add table 1 default via 10.18.35.11 dev eth0 # GW1
> > ip route add table 2 default via 10.18.35.21 dev eth0 # GW2
> > 
> > ip rule add fwmark 1 table 1
> > ip rule add fwmark 2 table 2
> > 
> > On web2, the default gw is set to gw2 and in /var/log/messages, I can
> > see packets appear to be marked. However, for some reason, 8088 is still
> > routing back via gw2 (default gw) rather than being routed via gw1,
> > which I'm trying to do with the above ip rules etc.
> > 
> > Is the above the correct syntax? or I guess I could totally be missing
> > the plot?
> > 
> > Many thanks for your time on this one.
> 
> Hope that helps.
> 
> --
> Len Sorensen

Hi there, and thanks v. much for getting back to me on this one.
I now have changed iptables on the web servers to the following:

iptables -t mangle -A POSTROUTING -p tcp --sport 8088 -o eth0 -j MARK
--set-mark 1
iptables -t mangle -A POSTROUTING -p tcp --sport 8089 -o eth0 -j MARK
--set-mark 2

But I'm still seeing traffic being returned via gw2 for port 8088 :(
Any ideas? Thanks.

-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to