I have the problem:
I want to use routing based on some TCP protocol level data - it can be
theoretically done using "ip rule fwmark xxx" and corresponing ipchains
rule(s) (with -m option). In my case packets marked with "-m" option
shuold also be masqueraded.
My routing rules are:
ip ru add prio 100 lookup main
ip ru add prio 150 fwmark 1 lookup A
ip ru add prio 200 lookup B
ip ro flush table cache
both A and B tables contain one entry, let's say:
in A: 0/0 via a.b.c.d
in B: 0/0 via w.x.y.z
(a.b.c.d and w.x.y.z are connected to different router's interfaces)
I added the following ipchains rule (for simplicity condition here is
only destination host, but I need also some port-based conditions):
ipchains -A forward -d some.host.addr -m 1 -j MASQ
In this case packets to some.host.addr are masquraded (and rule counters
are incremented), but they are sent via w.x.y.z (_NOT_ a.b.c.d).
When I also added marking ipchains rule to input chain
(ipchains -A input -d some.host.addr -m 1 -j ACCEPT)
I can see (using tools like tcpdump) masquraded packets sent to
some.host via a.b.c.d, responses sent back from a.b.c.d to my router,
but router does not "demasqurade" them - originator receives nothing.
Packets are not rejected, just "anihilated" (??).
All tests were done from another host connected to third router's
interface (different than a.b.c.d and w.x.y.z are connected).
On router I have 2.2.16 kernel, all masqurading/routing options usefull
in that case are enabled (I think so).
Can anyone explain me the correct way using policy routing based on
BTW: what is the order of interpreting input, forward, output chains and
routing rules during packet forwarding?