From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C26141381F3 for ; Fri, 4 Oct 2013 23:09:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7DA1BE0A10; Fri, 4 Oct 2013 23:08:56 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 86E1AE0931 for ; Fri, 4 Oct 2013 23:08:55 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 722C333DACA for ; Fri, 4 Oct 2013 23:08:54 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.429 X-Spam-Level: X-Spam-Status: No, score=-1.429 tagged_above=-999 required=5.5 tests=[AWL=-1.977, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=1.2, RP_MATCHES_RCVD=-0.652, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJRQWiEKORzX for ; Fri, 4 Oct 2013 23:08:49 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id CACD533BF0D for ; Fri, 4 Oct 2013 23:08:46 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VSEUD-0006Cv-9P for gentoo-user@gentoo.org; Sat, 05 Oct 2013 01:08:41 +0200 Received: from dsl.comtrol.com ([64.122.56.22]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 05 Oct 2013 01:08:41 +0200 Received: from grant.b.edwards by dsl.comtrol.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 05 Oct 2013 01:08:41 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Grant Edwards Subject: [gentoo-user] Re: OT: default route dependent on dest port? Date: Fri, 4 Oct 2013 23:08:22 +0000 (UTC) Message-ID: References: <524F37E4.6040106@fastmail.co.uk> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: dsl.comtrol.com User-Agent: slrn/1.0.1 (Linux) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Archives-Salt: 0ff60362-a81b-41a0-8caa-d13d4c1e7f6b X-Archives-Hash: 047cc1a5ef7e378e0df73d574df643fe On 2013-10-04, Grant Edwards wrote: > On 2013-10-04, Grant Edwards wrote: >> On 2013-10-04, Kerin Millar wrote: >>> On 04/10/2013 21:55, Grant Edwards wrote: >> >>>> I then add an iptables rule like this: >>>> >>>> iptables -A OUTPUT -t mangle -p tcp --dport 80 -j MARK --set-mark 1 >> >> I'm about to try adding a second iptables rule to us the nat table to >> rewrite the source IP address. Something like this: >> >> iptables -A POSTROUTING -t nat -o net2 -m mark --mark 1 -j SNAT --to 172.16.1.2 > > I also tried > > iptables -A POSTROUTING -t nat -o net2 -p tcp --dport 80 -j SNAT --to 172.16.1.2 > > [I don't think the second rule is quite right, though, since it will > also match packets that _don't_ need to have the source IP > re-written.] > > Both produced the same results: outbound packets look correct (they > have a source address that's valid for the net2 interface). But, > inbound packets don't seem to reach the TCP stack: If I disable reverse-path filtering then it works. [I'm using the first SNAT rule that matches based on the mark], but I don't really like disabling all the reverse path filtering. Is there a cleaner way to accomplish this that doesn't fall afoul of rp_filter? -- Grant Edwards grant.b.edwards Yow! I have accepted at Provolone into my life! gmail.com