|
Roberto Nibali wrote:
>
> iptables -A OUTPUT -t filter -p tcp -s 10.10.10.10/32 -d 0/0 \
> --destination-port 80 -j ACCEPT -m mark --mark 1
I went for a walk after I did the original posting and realised
that fwmark might do it.
I did a
-j MARK --set-mark 1
instead of your
-j ACCEPT -m mark --mark 1
Is that going to make any difference?
I don't have any other iptables rules in my test setup.
I'm just doing it all with iproute2
> ip ru add fwmark 1 dev eth0 lookup 100 pref 1000
> ip ro add default via 172.23.1.1 table 100
OK, I managed to get this far but now I can't route the packet
to dst_port out of the machine at all :-(
I haven't tried deleting my other ip rules/routes yet.
> Check out the 'bounce table walking' principle.
like example 6.4 from Marsh's book? - my head hurts just looking at it.
> > However in the case of a 3 tier system (eg the realservers
> > are squids), a client on the realserver will be making
> > calls to 0/0:80. It would be nice to route only those
> > packets and arrange for the rest of the packets to 0/0
> > to be dropped.
>
> Well, generate two rules, add the desired fwmark'd packets to one
> routing table and add a blackhole to the other table. Then packets can
> bounce the routing table.
OK, let me work on it.
> Padraig wrote
> >I found this very enlightening:
> > http://lartc.org/HOWTO//cvs/2.4routing/output/2.4routing.html
Haven't looked at this since I got Marsh's book. Good to see the update.
It had an example of adding a rule with fwmark, which helped me get started
above.
Ratz wrote
> Yep, have you read the comment about the LVS guys in the document?
Ah yes, the one about us doing evil things with the packets :-)
I thought (incorrectly it seems) that I'd read it in one of Rusty's docs.
Joe
--
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center,
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA
|
