> The inbound port forwarding rules are fine as far as receiving the
> connection, but when it replies will still take the whatever routing
> path defined by the system. If the system is doing loading balancing,
> chances is that it will be going via some other interfaces, thereby
> causing connection problem. So my question is if there is a way to ask
> the firewall to reply via the interface where it is coming in
> from ?
YES! I figured this out a couple weeks ago. You need netfilter
patch-o-matic extentions and a recent iptables added to your kernel
though.
# This says if the connection registered in IP_CONNTRACK has a mark on
it, pass that mark to the regular linux MARK ${IPTABLES} -t mangle -A
PREROUTING -j CONNMARK --restore-mark
# This is what I use to set the inbound marks.
# Default policies for incoming traffic
${IPTABLES} -t mangle -A PREROUTING -m state --state NEW -i ${IF_INET3}
-j MARK --set-mark ${RTABLE_INET3}
${IPTABLES} -t mangle -A PREROUTING -m state --state NEW -i ${IF_INET4}
-j MARK --set-mark ${RTABLE_INET4}
# This places the linux MARK fields that I''ve just set into that
connection''s IP_CONNTRACK so that the next time I see a packet from
this
session, it will also be MARKed to whatever value the SYN was( because
of --restore-mark).
${IPTABLES} -t mangle -A PREROUTING -j CONNMARK --save-mark
This is just for inbound connections. The same can be performed for
outgoing connections. This makes is quite easy to implement layer 4
policy routing (done), and WAN failover (soon). Plus, this even handles
sessions where ESTABLISHED connections are made. Both original and
establiched connections both get MARKed back to the same interface. This
may not work with TC since I have never tried it. Good luck!
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/