<div dir="ltr"><br><br><div class="gmail_quote">On Wed, Sep 5, 2012 at 8:28 AM, Erez D <span dir="ltr"><<a href="mailto:erez0001@gmail.com" target="_blank">erez0001@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><br><br><div class="gmail_quote"><div class="im">On Mon, Aug 20, 2012 at 10:52 AM, shimi <span dir="ltr"><<a href="mailto:linux-il@shimi.net" target="_blank">linux-il@shimi.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div><p><br>
On Aug 20, 2012 9:34 AM, "Erez D" <<a href="mailto:erez0001@gmail.com" target="_blank">erez0001@gmail.com</a>> wrote:<br>
><br>
> hello<br>
><br>
><br>
> i have a server with two eth ports, each connects to a different router, and then to the internet.<br>
> i want all normal trafic to the internet to go via router 1 (eth0), so i added a default route to it<br>
> i want connections TCP coming from all over the internet to the second router(eth1), to be accepted.<br>
><br>
> the problem is that altough connections are coming from eth1, due to the default route, they are answered from eth0, which means a tcp connection can not be established.<br>
> i know that linux has a conntrack module, can i use it to tell the kernel to answer on the same eth it got SYN from ?</p>
</div></div><p>Are the two ports on the same netblock?</p></blockquote></div><div>what do you mean by that ? <br></div></div></div></blockquote><div><br>I mean that one is 10.1.2.3 with netmask 255.255.255.0 and the other is 10.1.2.4 with netmask 255.255.255.0, for example. That means that they're both on the same network block. <br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div></div><div class="im"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<p> If so, can they be separated to two non overlapping blocks? <br>
</p></blockquote></div><div>didn't get that<br></div></div></div></blockquote><div><br>So that one would be 10.1.2.3 with netmask 255.255.255.0 and the other would be 10.1.3.3 with netmask 255.255.255.0<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div class="gmail_quote"><div><br><br>i have many clients from many differnet ips connecting to my server. the server has two eth interfaces, with many ports open. <br>there is no relation between eth and port, the same port can receive connections from either interface.<br>
i just want to route the relayed packets of the same connection to the eth the syn packet came from.<br></div></div></div></blockquote><div><br><br>So, the solution I gave you in the original mail is supposed to work.<br>
<br>I only forgot one word in the command I gave over mobile, so now I'll give the full solution when it's easier to type.<br><br>Variables (assumptions) :<br><br>IP address currently going through DGW that shouldn't be: 1.2.3.4<br>
Alternative gateway for <a href="http://1.2.3.4">1.2.3.4</a>: 1.2.3.254<br><br>First, create an alternative routing table for traffic coming from the IP that is not supposed to go to the default GW:<br><br># ip route add <a href="http://0.0.0.0/0">0.0.0.0/0</a> via 1.2.3.254 table 200<br>
<br>Then, ask Linux to use that routing table whenever the source of the traffic is from <a href="http://1.2.3.4">1.2.3.4</a>:<br><br># ip rule add from 1.2.3.4 table 200<br><br>200 is an arbitrary number. You could use an alias for it to look nicer; If you want that, you can alias a name to a number by editing /etc/iproute2/rt_tables. There are examples there you can copy from. If you have an alias for the number, you can use it in both the ip route and ip rule commands, instead of the number.<br>
<br></div></div>That's it, I believe.<br><br>If it still doesn't work, you may be looking at the route cache. You can wait some time, or issue an:<br><br># ip route flush cache<br><br>If it still doesn't work (or commands fail...), be sure to have iproute2 utilities and support in the kernel.<br>
<br>Good luck,<br><br>-- Shimi<br></div>