[LARTC] DNAT and Load Balancing
Alex Samad
alex at samad.com.au
Fri Mar 2 19:39:13 CET 2007
On Fri, Mar 02, 2007 at 07:34:34PM +0100, francesco messineo wrote:
> I solved this exact problem (with incoming connections on three
> different adsl) markin packets on PREROUTING chain. Obviously with
> three different routing tables.
>
> # incoming connections for DNAT to DMZ need to be marked here in PREROUTING
> iptables -t mangle -N mymark
> iptables -t mangle -F mymark
> # first of all RETURN for "local" interfaces
> iptables -t mangle -A mymark -i $E0_IF -j RETURN
> iptables -t mangle -A mymark -i $DMZ_IF -j RETURN
> iptables -t mangle -A mymark -i $VPN_IF -j RETURN
> # then mark and save incoming connections from the external universe
> iptables -t mangle -A mymark -i $IN_IF -j MARK --set-mark $IN_M
> iptables -t mangle -A mymark -i $MC_IF -j MARK --set-mark $MC_M
> iptables -t mangle -A mymark -i $TI_IF -j MARK --set-mark $TI_M
> iptables -t mangle -A mymark -j CONNMARK --save-mark
>
> #restore mark before ROUTING decision
> iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
>
> # non marked incoming connections need to be marked (DNAT to DMZ only)
> iptables -t mangle -A PREROUTING -m mark --mark 0 -j mymark
>
Hi
i know there was a thread on this methiod earlier, but has somebody put up a
howto, or a wiki page on it ?
alex
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://mailman.ds9a.nl/pipermail/lartc/attachments/20070303/da910c14/attachment.pgp
More information about the LARTC
mailing list