policy based routing outbound traffic [SOLVED]

[ddio]

I have a server, which has two possible gateways to the internet(one on eth0 and one on eth1).

Now I want to make the server reachable from both sides (at this moment only apache port 80 and 443), so I thought I use policy based routing for it.

The default routing table uses the gateway for eth0 (192.168.200.1).
The routing table 17 uses the gateway for eth1(192.168.100.151).

So I'll have to reach that if the server is connect on eth1 (192.168.100.250) he uses table17 so he sends the packet back to the correct gateway(192.168.100.151).

First I had some trouble with rp_filter(the packet simply disappeared), then with mangle->PREROUTING (from what I could determine, mangle->PREROUTING is only usable for incoming packets).

So I finally did use mangle->OUTPUT:

iptables -A OUTPUT -t mangle -s 192.168.100.250 -j MARK --set-mark 1

I can see the packet is marked:

iptables -A OUTPUT -t mangle -s 192.168.100.250 -j LOG --log-prefix "pbr: "


[162618.940496] pbr: IN= OUT=eth0 SRC=192.168.100.250 DST=188.64.61.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=36929 WINDOW=28960 RES=0x00 ACK SYN URGP=0 MARK=0x1

but as you can see the packet is outputted on the wrong interface (eth0 instead of eth1) but with the correct source ip.

heres the ip rule:

# ip rule show
0: from all lookup local
32765: from all fwmark 0x1 iif eth1 lookup rottmann
32766: from all lookup main
32767: from all lookup default

heres the routing table 17:

# ip route show table 17
default via 192.168.100.151 dev eth1 src 192.168.100.250
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.250
192.168.101.0/24 via 192.168.100.151 dev eth1
192.168.201.0/24 via 192.168.100.151 dev eth1

[ddio]

writting it down seems to help, after trying so much stuff, I didn't notice that if I switch from PREROUTING to OUTPUT I have to adjust ip rule by deleting the iif part. Now it works.

[ddio]