Re: VPN + multilink connection
--- Jean-Michel Hiver <hiver.j@wanadoo.fr> wrote:
> charlie wrote:
>
> >I think what you might want to look into is a combination of fwmark and
> >iproute2.
> >
> >Mark the packets with iptables -j MARK --set-mark X and then route them
> >using iproute2.
> >
> >See www.lartc.org
> >
> >specifically :
> >http://www.lartc.org/howto/lartc.iproute2.html
> >http://www.lartc.org/howto/lartc.netfilter.html
> >http://www.lartc.org/howto/lartc.rpdb.multiple-links.html
> >
> >
> Exactly the part where I'm stuck.
>
> I've written up a little howto of what I have at the moment
> (unfortunately I don't have dual DSL yet but ISDN lines - yet it's
> interesting to try and make it work).
>
I'v been getting ppl to post stuff like this on the debian wiki...
http://wiki.debian.net/?Firewalls.
Hmm, any one know how to fix it? Lookes like some wiki update broke
something.
> I'm stuck on the routing part at the bottom of the page... if you could
> look at the document and maybe hint me on what's going wrong that would
> be fantastic.
>
I coulden't get this working my self...
# IIRC: rp_filter is the anti spoofing reverse route filter.
echo 0 > \
/proc/sys/net/ipv4/conf/${IFACE}/rp_filter
# You should have two rules and routes, one for each gateway.
ip rule add fwmark 3 table 201
ip route add default via 10.0.0.110 dev $IFACE table 201
# Then you mark the pkts you want to use the alternat routing tbl.
iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
--src ! 10.0.0.110 --dport 80\
-j MARK --set-mark 3
iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
--src ! 10.0.0.110 --dport 443\
-j MARK --set-mark 3
> Cheers,
> Jean-Michel.
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
__________________________________
Do you Yahoo!?
Yahoo! Mail - Easier than ever with enhanced search. Learn more.
http://info.mail.yahoo.com/mail_250
Reply to: