>   iptables -t nat -I PREROUTING -i $internal -s $intserver \
>     --match conntrack --ctorigdst $ip_t1 -j MARK --set-mark 1
>   iptables -t nat -I PREROUTING -i $internal -s $intserver \
>     --match conntrack --ctorigdst $ip_t2 -j MARK --set-mark 2
>   ip rule add from $intserver fwmark 1 table T1
>   ip rule add from $intserver fwmark 2 table T2
> I am hoping that somebody else on the LARTC list has tried this and lived
> through the pitfalls of using conntrack in this fashion--perhaps somebody
> can even point out if I'm leading you down the wrong path.

Firstly, those iptables command won't even work. I suspect you mean
iptables -t mangle ( and not -t nat !!!).

Secondly, using this method, if it works, I have to do it for every internal
server which I have. If I have 10 servers, I will have to execute many of
those commands.

I saw some earlier post (by Daniel Chemko) which says he has done this
using CONNMARK, basically what he did it by doing this :-

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m state --state NEW -i
--set-mark 1
iptables -t mangle -A PREROUTING -m state --state NEW -i
--set-mark 2
iptables -t mangle -A PREROUTING -j CONNMARK --save-mark

I haven't got a chance to try all these. But if this is working, it is much
than this approach using fwmark.

LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Reply via email to