Hello guys!
I have the following setup:
Linux router acting as a gateway for several subnets in the LAN.
The subnets are:
127.17.0.0/16 (will go out via NAT)
195.229.x.x/24
193.289.y.y/28
213.189.z.z/26
etc.
There are about 20 subnets including the private Class B subnet.
I want to mark the packets that will go on the Internet, and leave out the
packets that move from one subnet to the other.
If I am to use something like:
-s 172.17.0.0/16 -d !195.229.x.x/24
-s 172.17.0.0/16 -d !193.289.y.y/28
etc...
I will have around 100 rules for upload and 100 for download
Is there any possibility to use something like:
-s 172.17.0.0/16 -d !195.229.x.x/24, !193.289.y.y/28, ...
As in to use something like ipset
Or,
Match the packets by the next-hop address...
-m nexthop --next-hop GW_ADDRESS
Unfortunately ipset cannot be used for this scenario, and the old nexthop
patch was not accepted in the pom tree.
Does anybody have an old copy of the nexthop patch
(https://lists.netfilter.org/pipermail/netfilter-devel/2003-November/013216.
html),
or any other idea...
Thanks,
Mihai
