|
Added some (-t mangle) to the scipt.. it runs now without errors, but
still does not allow my realserver make http connections to the outside.
-------------
#!/bin/bash
RIP="192.168.4.212"
VIP="192.168.4.240"
OUTSIDE_PORT_GW="192.168.4.1"
DIP="192.168.4.250"
RIP_DEV="eth0"
CHAIN=OUTPUT
OUTSIDE_PORT_CHAIN="3-Tier_rules"
OUTSIDE_IP="0.0.0.0/0"
OUTSIDE_PORT="http"
iptables -N $OUTSIDE_PORT_CHAIN -t mangle
iptables -F $OUTSIDE_PORT_CHAIN -t mangle
iptables -A $OUTSIDE_PORT_CHAIN -t mangle -j MARK --set-mark 1
iptables -F -t mangle
iptables -t mangle -A ${CHAIN} -p tcp -s ${RIP}/32 -d $OUTSIDE_IP --dport
${OUTSIDE_PORT} -j $OUTSIDE_PORT_CHAIN
ip rule add prio 99 from ${RIP} fwmark 1 table 3_TIER
ip route add default via ${OUTSIDE_PORT_GW} dev ${RIP_DEV} table 3_TIER
ip rule add prio 101 from ${RIP} fwmark 2 prohibit
ip route add default from ${RIP} via ${DIP} table main
-----------------------
#ip rule show
0: from all lookup local
99: from 192.168.4.240 lookup VIP
99: from 192.168.4.212 fwmark 0x1 lookup 3_TIER
100: from 192.168.4.212 to 192.168.4.0/24 lookup RIP
100: from 192.168.4.212 lookup RIP
101: from 192.168.4.212 fwmark 0x2 lookup main prohibit
32766: from all lookup main
32767: from all lookup 253
------------------------
#ip route show table 3_TIER
default via 192.168.4.1 dev eth0
------------------------
#ip route show table main
192.168.4.240 dev lo scope link src 192.168.4.240
192.168.4.0/24 dev eth0 scope link
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 192.168.4.250 dev eth0
------------------------
Any idea?
|
