Thanks for the comprehensive answer Lloyd. A couple of minor points:
> 2. You would set up a custom routing table for the special DMZ traffic.
> Use the info in the above link to do that. Suppose it is called
> "DMZSPECIAL". You will set up routing to the new DMZ interface using
> the MYDMZ table, something like this:
>
> ip route add 10.x.x.x/8 dev ${DMZinterface} src ${wan} table DMZSPECIAL
> ip route add default via ${gateway} dev ${interface} table DMZSPECIAL
>
[...]
> 3. You would NEW mark all packets from the special DMZ hosts with
> fwmark 1, like this (repeat for each source IP or subnet to use the new
> interface):
Using marks is one way to do this, and provides plenty of flexibility.
However, if all the traffic is coming from the same IP address /
interface, then you should be able to use straight iproute2 rules to
match those aspects, without even touching iptables (see ip rule).
> iptables -t mangle -A PREROUTING -m state --state NEW
> -s 10.x.x.x -j CONNMARK1
>
Also, if you do decide to use netfilter marks (which is certainly no bad
thing IMHO), then you probably don't need to mark connections and then
restore them. Instead just mark a packet straight away:
iptables -t mangle -A PREROUTING -s 10.x.x.x -j MARK --set-mark 1
Andy
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
[Linux Netfilter Development]
[Linux Kernel Networking Development]
[Linux Networking Development]
[Linux Kernel Development]
[Linux Resources]
[LARTC]
[Bugtraq]
[Consulting]
[Free Internet Dating]
[Yosemite Forum]
[Photo]
