iptables + multiple gateways not firewalling
Ian Coetzee
ubuntu at iancoetzee.za.net
Sun Dec 13 16:30:35 UTC 2009
Hi Werner
On 13/12/2009 15:44, Werner Schram wrote:
> Hi Ian,
>
> Ian Coetzee wrote:
>
>> On 12/12/2009 15:25, Ian Coetzee wrote:
>>
>>
>>> On Sat, Dec 12, 2009 at 2:31 PM, Werner Schram<wrschram at gmail.com> wrote:
>>>
>>>
>>>> So the rules are evaluated in order of the priority given to them, and
>>>> evaluation stops once a rule is matched. So I think that because your
>>>> SMTP traffic matches rule 0, rule 32765 will not be evaluated. So
>>>> editing rule 0 to not match 0x10 should solve this problem.
>>>>
>>>>
>> OK an update on this status.
>>
>> I reverted back to using only one interface, and surprise, surprise, it
>> works. The only thing I changed was to move the IP to eth0 (as well as
>> all the related routes).
>>
>> Now I have a question. Why does it work using one ether, but not two? My
>> guess is that it sets all the packets to be routed out through eth0,
>> then it gets marked and by then its to late (thats just my theory, prove
>> me wrong please :) )
>>
>>
> No, I think you are right, look at your mangle section in your iptables
> setup (I copied this from your original mail, so it still includes the
> --sport setup):
>
> *mangle
> :FORWARD ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> #mark outgoing tcp/25 packets for routing
> -A OUTPUT -p tcp -m tcp --sport 25 -j MARK --set-mark 0x10
> COMMIT
>
> The mark target is in the POSTROUTING section, which if after the the
> nexthop and the interface has been decided. So you should move it to
> PREROUTING.
>
Suddenly the battery falls on my head, and everything makes all the
sense in the world.
I will try this tomorrow at work, to see if it does the trick, but I
think it will :)
Thank you for your help
Regards
Ian
> Werner
>
>
More information about the ubuntu-users
mailing list