Hey Victor! > >>> I recently got a second internet line where I wanted to route certain > >>> connections to. So I decided to add a MARK to the connection in question: [...] > >> s/FORWARD/PREROUTING/g on the --set-mark rules should be enough to try. > > You are my hero! ;-) > > > > This works perfectly fine... > > | vuurmuur -b | grep "\-\-set\-mark" | sed "s/FORWARD/PREROUTING/g" | > > xargs > > ...with one exception: obviously all rules that have outgoing interfaces > > attached won't work; in my case there are several rules generated from that > > single rule: (eth: lan, eth1/eth2: inet; ips written as lan/24 and inet) [...] > Also, locally generated traffic (on the fw itself) can't use PREROUTING > I think, there it should just be OUTPUT if i read the netfilter diagram > correctly. You're absolutely right: local traffic relys on MANGLE OUTPUT.
> > Ok, so do you think a patch to add that feature could make it into 0.8? :-) > > Sure, please open a ticket. Done. See: http://www.vuurmuur.org/trac/ticket/148 > > And for the time being I'll just load that single rule manually... > > ...oh, and I need rules for all non-marked connections before to avoid them > > being routed through the same gateway. ;-) > > Hmm not sure I understand this, the ip rule with fwmark 2 should make > sure only marked traffic is affected, right? To make this work as I want/need it, I use MASQ target for that traffic (so no matter if the hosts exit on eth1 or eth2 they'll get the correct IP. Now I have several rules that should affect routing (only marked connections should leave on eth2): "accept service dns from local.lan to world.inet" -> should use eth1 "accept service ssh from local.lan to world.inet" -> should use eth1 "accept service any from local.lan to world.inet options nfmark="2"" -> should use eth2 With the one rule added to MANGLE PREROUTING, all local.lan connections get the mark and leave the router on eth2. For all the other rules I need a "-j ACCEPT" in PREROUTING to avoid getting the mark... This is probably the point where things start getting complicated... :-( -- Adi ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ Vuurmuur-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/vuurmuur-users
