SHOW:
|
|
- or go back to the newest paste.
| 1 | #setup the route table per wan | |
| 2 | - | ip route add 0/0 via <gw1> dev <wan1> table 10 |
| 2 | + | ip route add 0/0 via <gw1> dev <wan1> table 11 |
| 3 | - | ip route add 0/0 via <gw2> dev <wan2> table 11 |
| 3 | + | ip route add 0/0 via <gw2> dev <wan2> table 12 |
| 4 | ||
| 5 | #reply from right local addresses | |
| 6 | - | ip rule add from <wan1_ip> table 10 pref 90 |
| 6 | + | ip rule add from <wan1_ip> table 11 pref 91 |
| 7 | - | ip rule add from <wan2_ip> table 11 pref 91 |
| 7 | + | ip rule add from <wan2_ip> table 12 pref 92 |
| 8 | ||
| 9 | #route by mark | |
| 10 | - | ip rule add fwmark 10 table 10 pref 100 |
| 10 | + | |
| 11 | ip rule add fwmark 12 table 12 pref 102 | |
| 12 | ||
| 13 | #setup the dnat | |
| 14 | iptables -t nat -A PREROUTING -i <wan1> --dst <wan1_ip> -p <proto> --dport <service-port> -j DNAT --to <int_server_ip> | |
| 15 | - | iptables -t nat -A PREROUTING -i <wan2> --dst <wan1_ip> -p <proto> --dport <service-port> -j DNAT --to <int_server_ip> |
| 15 | + | iptables -t nat -A PREROUTING -i <wan2> --dst <wan2_ip> -p <proto> --dport <service-port> -j DNAT --to <int_server_ip> |
| 16 | ||
| 17 | #mark the incoming connections with CONNMARK | |
| 18 | - | iptables -t mangle -A PREROUTING -i <wan1> -m conntrack --ctstatus DNAT --ctstatus NEW -j CONNMARK --set-mark 10 |
| 18 | + | iptables -t mangle -A PREROUTING -i <wan1> -m conntrack --ctstatus DNAT --ctstatus NEW -j CONNMARK --set-mark 11 |
| 19 | - | iptables -t mangle -A PREROUTING -i <wan2> -m conntrack --ctstatus DNAT --ctstatus NEW -j CONNMARK --set-mark 11 |
| 19 | + | iptables -t mangle -A PREROUTING -i <wan2> -m conntrack --ctstatus DNAT --ctstatus NEW -j CONNMARK --set-mark 12 |
| 20 | ||
| 21 | #reflect the connmark to firewall mark in reply packets | |
| 22 | iptables -t mangle -A PREROUTING -i <lan> --src <int_server_ip> -j CONNMARK --restore-mark |
