connection through originating fw
I'm playing with redundant / balancing firewall after some
time... my setup:
/--- [ eth1 10.0.0.252 fcfw pub eth0 ] ---\
[ 10.0.0.100 eth0 ]+ +--- internet
\--- [ eth1 10.0.0.253 fdfw pub eth0 ] ---/
fcfw & fdfw use ucarp and one virtual ip on public interfaces as
well as they have 10.0.0.254 on eth1's, what's default gw for 10.0.0.100.
what I did on 10.0.0.100:
iptables -t mangle -A PREROUTING -i eth0 -m mac --mac-source <mac-of-252> -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -i eth0 -m mac --mac-source <mac-of-253> -j MARK --set-mark 2
(packets get matched and counter increase, also tryed CONNMARK target)
two additional route tables
echo 111 fcfw >> /etc/iproute2/rt_tables
echo 222 fdfw >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table fcfw
ip route add default via 10.0.0.252 dev eth0 table fcfw
ip rule add fwmark 2 table fdfw
ip route add default via 10.0.0.253 dev eth0 table fdfw
I expected that connections comming via fcfw, from 10.0.0.252 would get mark
1 and syn+ack would go to 10.0.0.252, but it is going to 10.0.0.254, default
gateway. so when public ip is on fcwf, and 10.0.0.254 on fdfw, connections
don't work (to not even get masqueraded by fdwf holding the gw).
I probably make some trivial error but cannot see it for hours now...