i am not describing what nathan wants to do, but what he did.
also, i do not fully understand the scenario: is the ssh originates from nathans firewall or from the remote site. and where the tunnel suppose to go erez. On 3/28/07, Ilya Konstantinov <[EMAIL PROTECTED]> wrote:
Erez, if I properly understand what Nathan is trying to do, he doesn't want to route by src/dst (or any other property of a packet). Instead, he wants something like "stateful routing": he wants the routing of packet which are an *indirect* result of a certain SSH session to be routed by the same interface this SSH session came in through. To the kernel, there's no relation between the SSH session and the indirectly-resulting packets. In non-encrypted protocols such as FTP or ICQ, the kernel keeps track of the relation (IP conntrack modules), but in the case of SSH, only SSH internals know this mapping. On 3/28/07, Erez D <[EMAIL PROTECTED]> wrote: > as i can see, you do source routing, and determine the outgoing > interface via the source ip. > ( see the 'ip rule ...' ) > > this means that the outgoing interface is determined by the ip binded > to the app ( e.g. to ssh) > usually apps bind to the default ip. > > you should change your 'ip rule' (e.g. route by destination, port, or > whatever, possibly with conjunction with iptables), and then the ssh > tunnel will go through the interface you like it to. >
================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
