[SOLVED] iproute2 rule based multi homed SNAT problem

Hello all,

I googled for a couple of days but I can't get the following situation to work:

local LAN (10.0.1.x) => Linux FW => ppp0 ADSL 1.1.1.1
eth2 CABLE 2.2.2.2

I mark packets from the local LAN to web pages (port 80) with a 2. This triggers the CABLE routing table to use eth2 for that traffic. That works great and is SNAT'ed prefectly in the direction of the internet. Problem is that returning packets are not sent back to the local net but are lost as soon as they arrive on eth2. conntrack sees them and tshark sees them but the system does not forward them... I do have LOG entries in my iptables for all packets that are refused.

Any help is very welcome.

Thanks,
Milo

===========================
relevant part of ip tables:
===========================
...
$IPTABLES -A PREROUTING -t mangle -j CONNMARK --restore-mark
$IPTABLES -A PREROUTING -t mangle -i eth0 -p tcp --dport 80 -j MARK --set-mark 2 # Mark web browsing for CABLE
$IPTABLES -A POSTROUTING -t mangle -o ppp0 -m state --state NEW -j MARK --set-mark 1
$IPTABLES -A POSTROUTING -t mangle -o eth2 -m state --state NEW -j MARK --set-mark 2
$IPTABLES -A POSTROUTING -t mangle -m state --state NEW -j CONNMARK --save-mark
...
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 10.0.1.0/24 ! -d 10.0.0.0/8 -m mark --mark 1 -j SNAT --to-source 1.1.1.1
$IPTABLES -t nat -A POSTROUTING -o eth2 -s 10.0.1.0/24 ! -d 10.0.0.0/8 -m mark --mark 2 -j SNAT --to-source 2.2.2.2
...

===========================
conntrack -E -s 10.0.1.x
===========================
[NEW] tcp 6 120 SYN_SENT src=10.0.1.3 dst=217.21.146.161 sport=1483 dport=80 [UNREPLIED] src=217.21.146.161 dst=95.96.84.156 sport=80 dport=1483 mark=2
[UPDATE] tcp 6 59 SYN_RECV src=10.0.1.3 dst=217.21.146.161 sport=1483 dport=80 src=217.21.146.161 dst=95.96.84.156 sport=80 dport=1483 mark=2
=> Never reaches state ESTABLISHED

===========================
ip rule
===========================
0: from all lookup local
50: from 2.2.2.2 iif lo lookup CABLE
200: from all fwmark 0x2 iif eth2 lookup CABLE
200: from all fwmark 0x2 iif eth0 lookup CABLE
32766: from all lookup main
32767: from all lookup default

===========================
ip route list table CABLE
===========================
10.0.1.0/24 dev eth0 scope link
2.2.2.0/24 dev eth2 scope link metric 10
127.0.0.0/8 dev lo scope link
default via 2.2.2.1 dev eth2 metric 10

===========================
ip route list table main
===========================
1.1.1.2 dev ppp0 proto kernel scope link src 1.1.1.1
192.168.100.0/24 dev eth2 proto kernel scope link src 192.168.100.99
10.0.0.0/24 dev eth1 proto kernel scope link src 10.0.0.2
10.0.1.0/24 dev eth0 scope link
2.2.2.0/24 dev eth2 scope link metric 10
127.0.0.0/8 dev lo scope link
default via 1.1.1.2 dev ppp0

I had to disable rp_filter for the interface and now all is fine :)

Strange that the kernel seems to think the packet is spoofed. I don't understand why, so if anybody could explain that I would be an even more happy camper :)