fwmarks

fwmarks

[Esteban]

i ve got the clasic firewall for my internal network but inteades of one
internet gw ive got two.

(internel 172.0.0.0/24) eth0 -#linux box#-eth2 (first gw to internet)
					#-ppp0 (second gw to internet)

i have a trnasparent squid and a nat rule to redirect ports..
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128

then squid looks for the webpages on the two gateways (multipath).
now i would like to fwmark paquets generated by squid and thru a
routeing table route only www packages to the gw i want.

i tryed 
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 2

and then 
echo 201 www.out >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table www.out
ip route add default gw via 1.1.1.1 dev ppp0 
ip route flush cache

and does not work!.
if i create a rule like 
ip rule add to 2.2.2.2 table www.out
ip route flush cache

that does work!..
i think the mangling is not okay..how do i mangle paquetes generated by
my own server? if anyone have some experience please help me!

thanks in advance

Re: fwmarks

[Joel Newkirk]

On Saturday 01 March 2003 03:44 pm, Esteban wrote:

> i have a trnasparent squid and a nat rule to redirect ports..
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> then squid looks for the webpages on the two gateways (multipath).
> now i would like to fwmark paquets generated by squid and thru a
> routeing table route only www packages to the gw i want.
>
> i tryed
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark
> 2

If the traffic is coming from (IE squid is running on) the firewall box 
itself then outbound traffic from squid never goes through PREROUTING.  
Try:

iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2

instead.

j

Re: fwmarks

[Tomasz Wrona]

On 1 Mar 2003, Esteban wrote:

> and then
> echo 201 www.out >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table www.out
> ip route add default gw via 1.1.1.1 dev ppp0
> ip route flush cache
>
> and does not work!.
> if i create a rule like
> ip rule add to 2.2.2.2 table www.out
> ip route flush cache
>
> that does work!..

Set [I guess location but key is to turn of rpfilter when using
policyrouting via fwmark]:
echo "0" > /proc/sys/net/ipv4/conf/ppp0/rp_filter

Regards
tw
-- 

----------------
 ck.eter.tym.pl

"Never let shooling disturb Your education"

Re: fwmarks

[Esteban]

ive tryed and so on..

root@debian:~# find /proc/ -type f -iname "rp_filter"  -exec cat {} \;
0
0
0
0
0
root@debian:

it doesnt work!..
i see the accounting of paquets in iptables, so marking is working..

root@debian:~# ip route ls
172.0.0.0/24 dev eth0  proto kernel  scope link  src 172.0.0.82 
172.0.0.0/24 dev eth1  proto kernel  scope link  src 172.0.0.81 
default via 172.0.0.1 dev eth0 

but they keep on using the default route! (eth0) and not eth1!

root@debian:~# ip rule ls
0:      from all lookup local 
32761:  from all fwmark        2 lookup eth1 
32762:  from all fwmark        2 lookup eth1 
32763:  from all fwmark        d lookup eth1 
32764:  from all fwmark       13 lookup eth1 
32765:  from all to 198.133.219.25 lookup eth1 
32766:  from all lookup main 
32767:  from all lookup default 
root@debian:~# 
root@debian:~# ip route ls table eth1
172.0.0.1 dev eth1  scope link  src 172.0.0.81 
default via 172.0.0.1 dev eth1  src 172.0.0.81 
root@debian:~# 
root@debian:~#  iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 11811 packets, 5080K bytes)
 pkts bytes target     prot opt in     out     source              
destination         
Chain INPUT (policy ACCEPT 10043 packets, 4859K bytes)
 pkts bytes target     prot opt in     out     source              
destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source              
destination         
Chain OUTPUT (policy ACCEPT 8362 packets, 1812K bytes)
 pkts bytes target     prot opt in     out     source              
destination         
  120  6287 MARK       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0          tcp dpt:80 MARK set 0x2 
  261 12430 MARK       tcp  --  *      *       0.0.0.0/0           
0.0.0.0/0          tcp dpt:110 MARK set 0xd 
Chain POSTROUTING (policy ACCEPT 8542 packets, 1832K bytes)
 pkts bytes target     prot opt in     out     source              
destination         
root@debian:~# 


thanks for helping me!! any idea?? 

On Sat, 2003-03-01 at 20:13, Tomasz Wrona wrote:
> On 1 Mar 2003, Esteban wrote:
> 
> > and then
> > echo 201 www.out >> /etc/iproute2/rt_tables
> > ip rule add fwmark 2 table www.out
> > ip route add default gw via 1.1.1.1 dev ppp0
> > ip route flush cache
> >
> > and does not work!.
> > if i create a rule like
> > ip rule add to 2.2.2.2 table www.out
> > ip route flush cache
> >
> > that does work!..
> 
> Set [I guess location but key is to turn of rpfilter when using
> policyrouting via fwmark]:
> echo "0" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
> 
> Regards
> tw
> -- 
> 
> ----------------
>  ck.eter.tym.pl
> 
> "Never let shooling disturb Your education"
> 
> 

Re: fwmarks

[eribicic]

Thanks Thomas, it really help your commnent..still doesnt work :( but i think where the problem is..but i couldnt workit out.

i wanted to the where to things:

1) make transparent squid paquets (which i asume they are generated in the linux box) being routed to the gw i choose. it seems that as i have only one deafault gw, when squid generate the paquets it takes that address as src address and thats why, even i fwmark rules and stuff, that doesnt work..

2) make internal network paquets (wich are mascararaded throght my default gw) -remember even when i have two gateway i only masquerde paquts through one of them- use the another interface, thats why i do fwmark on prerouting and now (thanks thomas) it works, but as masquerading is not appyled (i dont know why!) paquets only go, but never come back..

any sugestion?
thank you really much!!!!!!
help needed!


all conf and stuff is in: http://www.dejawu.com.ar/net.html


> > and then
> > echo 201 www.out >> /etc/iproute2/rt_tables
> > ip rule add fwmark 2 table www.out
> > ip route add default gw via 1.1.1.1 dev ppp0
> > ip route flush cache
> >
> > and does not work!.
> > if i create a rule like
> > ip rule add to 2.2.2.2 table www.out
> > ip route flush cache
> >
> > that does work!..
> 
> Set [I guess location but key is to turn of rpfilter when using
> policyrouting via fwmark]:
> echo "0" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
> 
> Regards
> tw
> -- 
> 
> ----------------
>  ck.eter.tym.pl
> 
> "Never let shooling disturb Your education"
> 
> 
-- 
Slds.