Mailing List Archive

Connection Marking and source routing woes
Hi all,

I just introduced a new 10Mbit/s line into my network, and I'm
severely rusty on iptables and experiencing some trouble setting up my
rules properly. I currently have three interfaces on my linux machine.
One is a trunk to a cisco 3560G switch, another is an interface facing
my T1 which is currently my default route for everything. The third
interface I connected today to a 10Mbit/s RCN leased line. What I'm
trying to do now is slowly move everything over to the 10Mbit/s line,
one VLAN at a time. I'd like to start with my wireless VLAN, which is
marked as VLAN 11. I understand that now I have to mangle packets
using iptables, which is fine, I've patched my kernel with the proper

The following are my NAT and Mangle tables:


:nat-out - [0:0]
# NAT for dmz/firewall/garage
-A PREROUTING -d OLD_IP -j DNAT --to-destination
-A PREROUTING -d OLD_IP2 -j DNAT --to-destination
-A POSTROUTING -j nat-out
# RCN T1, switching to 10Mbit/s
-A nat-out -d ! -m mark --mark 0x2 -j SNAT --to-source
-A nat-out -s -d ! -j SNAT --to-source OLD_IP
-A nat-out -s -d ! -j SNAT --to-source OLD_IP
-A nat-out -s -d ! -j SNAT --to-source OLD_IP
:mangle-newconn - [0:0]
:mangle-localconn - [0:0]
:mangle-policyroute - [0:0]
-A PREROUTING -m state --state NEW -j mangle-newconn
-A INPUT -m state --state NEW -j mangle-newconn
-A OUTPUT -m state --state NEW -j mangle-localconn
-A POSTROUTING -m connmark --mark 0 -m state --state NEW -j mangle-policyroute
-A POSTROUTING -m connmark --mark 1 -j MARK --set-mark 1
-A POSTROUTING -m connmark --mark 2 -j MARK --set-mark 2
-A POSTROUTING -m mark --mark 2 -j ROUTE --gw RCN_GW_IP --oif eth2 --continue
-A mangle-newconn -i eth2 -j CONNMARK --set-mark 2
-A mangle-localconn -s -j CONNMARK --set-mark 2
-A mangle-policyroute -d -j CONNMARK --set-mark 0
-A mangle-policyroute -s -j CONNMARK --set-mark 2
-A mangle-policyroute -s -j CONNMARK --set-mark 2

-- snip --

If anyone can help me look into this, I'd really appreciate it.

If I'm not providing enough details about my network or setup, please
do reply and I'll make it available.

- sf