iptables + multiple gateways not firewalling
Werner Schram
wrschram at gmail.com
Sun Dec 13 13:44:18 UTC 2009
Hi Ian,
Ian Coetzee wrote:
> On 12/12/2009 15:25, Ian Coetzee wrote:
>
>> On Sat, Dec 12, 2009 at 2:31 PM, Werner Schram<wrschram at gmail.com> wrote:
>>
>>> So the rules are evaluated in order of the priority given to them, and
>>> evaluation stops once a rule is matched. So I think that because your
>>> SMTP traffic matches rule 0, rule 32765 will not be evaluated. So
>>> editing rule 0 to not match 0x10 should solve this problem.
>>>
> OK an update on this status.
>
> I reverted back to using only one interface, and surprise, surprise, it
> works. The only thing I changed was to move the IP to eth0 (as well as
> all the related routes).
>
> Now I have a question. Why does it work using one ether, but not two? My
> guess is that it sets all the packets to be routed out through eth0,
> then it gets marked and by then its to late (thats just my theory, prove
> me wrong please :) )
>
No, I think you are right, look at your mangle section in your iptables
setup (I copied this from your original mail, so it still includes the
--sport setup):
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
#mark outgoing tcp/25 packets for routing
-A OUTPUT -p tcp -m tcp --sport 25 -j MARK --set-mark 0x10
COMMIT
The mark target is in the POSTROUTING section, which if after the the
nexthop and the interface has been decided. So you should move it to
PREROUTING.
Werner
More information about the ubuntu-users
mailing list