routeing, SNAT, MASQ, and fwmark

Rusty Russell rusty@linuxcare.com.au
Thu, 30 Nov 2000 16:31:53 +1100


In message <20001126123150.S26953@ns> you write:
> 	Perhaps I can shed a bit more light here.  The problem appears to be,
> for me, that MASQ'ing and SNAT'ing don't remember the outbound connection w=
> hen
> it was gotten to via fwmark when it comes back.

Testing here reveals that the route filtering and mark don't play well
together.  Try:

# for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f; done
# echo 1 > /proc/sys/net/ipv4/route/flush

Then run your tests again.  If that's the problem, just disable route
filtering on the interface where the replies to the marked packets
come in.

Playing with this stuff can find some wierd corner cases: also, I
presume your IP is static, so you should use DNAT, not MASQUERADE.

Hope that helps,
Rusty.
--
Hacking time.