From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 23AB31381F3 for ; Fri, 4 Oct 2013 21:49:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C3AA2E09FE; Fri, 4 Oct 2013 21:49:27 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id CB094E09C0 for ; Fri, 4 Oct 2013 21:49:26 +0000 (UTC) Received: from compute5.internal (compute5.nyi.mail.srv.osa [10.202.2.45]) by gateway1.nyi.mail.srv.osa (Postfix) with ESMTP id 5114421FAB for ; Fri, 4 Oct 2013 17:49:26 -0400 (EDT) Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Fri, 04 Oct 2013 17:49:26 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=fastmail.co.uk; h= message-id:date:from:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; s=mesmtp; bh=jZ6qQXY6PObpouGwhh8tOrx6Yu8=; b=JFD3O0Jsy+qmt8/Tlg8Td90hbOyL FEvxDkUT4s1QvCvFUIdwaokG1Q6hEE7mNc4TFhgkED//etAn/juYPfg8lVDgVf9L 7nHSkBeN4sDSKhmV5wedAVLqZaME21tCA8NhRKYG75VR70NZWWiEzVOU8MhLWPbA TTvkPkxYqaucijY= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:date:from:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; s=smtpout; bh=jZ6qQXY6PObpouGwhh8tOr x6Yu8=; b=SsP12mNSeWWJMTu3kH6XixnkAQfRlsJT2aSC4AvFfAc2PGy1Qn+vw1 4ZcRSdwzTBNAh3tfxsM7qJP5xdkcShwdaI3CutHfkBBn4jMa+2auVcuCqHXNUW3Q qe3Grz4G9AjoGJ/xnoHev7+axU0vf5Kot/aBPazUyhVFUYObVU7JQ= X-Sasl-enc: SaLT1SxzWbDSX0JPPWpNeaw1498k0rIQLitruKRsCGk5 1380923366 Received: from [192.168.1.100] (unknown [94.170.82.148]) by mail.messagingengine.com (Postfix) with ESMTPA id E814D6800BD for ; Fri, 4 Oct 2013 17:49:25 -0400 (EDT) Message-ID: <524F37E4.6040106@fastmail.co.uk> Date: Fri, 04 Oct 2013 22:49:24 +0100 From: Kerin Millar User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.0 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] OT: default route dependent on dest port? References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: 0f1f8095-90b2-4274-a039-6f335d8c1b7a X-Archives-Hash: 49c308b5b263a9c921abc9a0ea4a2512 On 04/10/2013 21:55, Grant Edwards wrote: > Let's posit two network interfaces net1 (192.168.x.y/16) and net2 > (172.16.a.b/16). There's a NAT/gateway available on each of the > networks. I want to use the 172.16 gateway for TCP connections to port > 80 and the 192.168 gateway for everything else. > > I'm primarily following this example: > > http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html > > My "main" routing table contains all directly accessible subnets plus > a default route via the 192.168 gateway. > > I created a second route table named "pmain" which is identical to > "main" except it has a different default route via the 172.16 gateway. > > My ip rules are: > > 0: from all lookup local > 10000: from all fwmark 0x1 lookup pmain > 32766: from all lookup main > 32767: from all lookup default > > I then add an iptables rule like this: > > iptables -A OUTPUT -t mangle -p tcp --dport 80 -j MARK --set-mark 1 It would help if you were to also supply the details of: * ip -f inet -o a s * ip route show table main * ip route show table pmain > > Now all TCP packets destined for port 80 are sent to the 172.16 > gateway, _but_ they're being sent with a 192.168 source address. The > TCP stack is apparently unaware of the advanced routing tricks and > thinks that the packets are going out via the 192.168 gateway. > > IOW I've succesfully re-routed TCP _packets_ but not the TCP > _connection_. > > How do I tell the TCP stack that it's supposed to use the 172.16 > inteface/gateway for connections to port 80? --Kerin