* ip_conntrack module, advanced routing and multiple ISP
@ 2003-09-15 8:55 Matthieu Turpault
0 siblings, 0 replies; 8+ messages in thread
From: Matthieu Turpault @ 2003-09-15 8:55 UTC (permalink / raw)
To: netfilter
Hi list,
I have a firewall with 4 NIC:
- 3 interfaces connected to the net (eth2, eth3, eth5) by
3 ISP;
- 1 interface connected to the internal network.
eth2 is connected to a router (10.0.1.1) which does masquerading.
Outcoming request (from the internal network to the net) are load
balanced to the 3 ISP (cf my configuration at the end of the mail).
All incoming request from the net to internal network by port
http, pop3, imap, ftp, smtp, https are correctly routed.
All outcoming request from the internal network to the net by
port http, pop3, imap are correctly routed.
The problem is that I can't connect from the internal network to
a ftp server of the net. In fact, I can connect to a ftp server
of the net but the "ls" command failed the most of the time (1/3).
I use passive mode.
Can you help me please ?
Thanks in advance
If I add the route by the command
ip route add <@ftpServer> via <@GATEWAY_ISP2>
it is OK
Here is my configuration (long but complete... I hope):
=============================================================
Routing table and rules
=============================================================
[root@firewall firewall]# ip ru l
0: from all lookup local
32763: from all fwmark 3 lookup 212
32764: from all fwmark 2 lookup 211
32765: from all fwmark 1 lookup 210
32766: from all lookup main
32767: from all lookup 253
--------------------------------------------------------------
[root@firewall firewall]# ip route list
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default
nexthop via 10.0.1.1 dev eth2 weight 1 onlink
nexthop via <@GATEWAY_ISP2> dev eth5 weight 1 onlink
nexthop via <@GATEWAY_ISP3> dev eth3 weight 1 onlink
--------------------------------------------------------------
[root@firewall firewall]# ip ro l t 210
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via 10.0.1.1 dev eth2
---------------------------------------------------------------
[root@firewall firewall]# ip ro l t 211
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via <@GATEWAY_ISP3> dev eth3
-----------------------------------------------------------------
[root@firewall firewall]# ip ro l t 212
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via <@GATEWAY_ISP2> dev eth5
==================================================================
IPTABLES tables
==================================================================
[root@firewall firewall]# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 531K packets, 34M bytes)
pkts bytes target prot opt in out source
destination
4496 293K net_dnat all -- eth2 * 0.0.0.0/0
0.0.0.0/0
39294 1956K net_dnat all -- eth3 * 0.0.0.0/0
0.0.0.0/0
18601 1158K net_dnat all -- eth5 * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 81932 packets, 4985K bytes)
pkts bytes target prot opt in out source
destination
182K 9122K eth3_masq all -- * eth3 0.0.0.0/0
0.0.0.0/0
166K 8193K eth5_masq all -- * eth5 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 32386 packets, 2508K bytes)
pkts bytes target prot opt in out source
destination
Chain eth3_masq (1 references)
pkts bytes target prot opt in out source
destination
159K 7823K MASQUERADE all -- * * 10.1.0.0/24
0.0.0.0/0
Chain eth5_masq (1 references)
pkts bytes target prot opt in out source
destination
159K 7825K MASQUERADE all -- * * 10.1.0.0/24
0.0.0.0/0
Chain net_dnat (3 references)
(...)
----------------------------------------------------------------
[root@firewall firewall]# iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 4008K packets, 1940M bytes)
pkts bytes target prot opt in out source
destination
2223 168K MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 MARK set 0x1
9364 3221K MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:21 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:20 MARK set 0x1
14916 1413K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst <@ISP2> MARK set 0x3
72454 17M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst <@ISP3> MARK set 0x2
94175 43M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.1.10 MARK set 0x1
4008K 1940M pretos all -- * * 0.0.0.0/0
0.0.0.0/0
1282 108K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc <@ISP2> MARK set 0x3
1327 112K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc <@ISP3> MARK set 0x2
65220 41M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc 10.1.0.10 MARK set 0x1
Chain INPUT (policy ACCEPT 154K packets, 16M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 3828K packets, 1923M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 86903 packets, 5978K bytes)
pkts bytes target prot opt in out source
destination
7587 402K MARK all -- * * <@ISP2> 0.0.0.0/0
MARK set 0x3
24567 1440K MARK all -- * * <@ISP3> 0.0.0.0/0
MARK set 0x2
5332 418K MARK all -- * * 10.0.1.10
0.0.0.0/0 MARK set 0x1
86903 5978K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 3890K packets, 1927M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
712 61690 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
2708 438K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
8 320 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
22272 1209K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
19801 8705K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
2140 112K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
2223 168K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
9364 3221K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
8865 7140K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
===============================================================
LOADED MODULES
===============================================================
[root@firewall firewall]# lsmod
Module Size Used by Not tainted
nls_iso8859-15 4060 0 (autoclean)
isofs 28856 0 (autoclean)
zlib_inflate 21764 0 (autoclean) [isofs]
vfat 12204 0 (autoclean)
fat 38072 0 (autoclean) [vfat]
ide-cd 33860 0 (autoclean)
cdrom 32736 0 (autoclean) [ide-cd]
ipt_MARK 1336 13 (autoclean)
ipt_conntrack 1528 6 (autoclean)
ipt_TOS 1592 12 (autoclean)
ipt_MASQUERADE 2200 20 (autoclean)
ipt_LOG 4312 11 (autoclean)
ipt_REJECT 3768 4 (autoclean)
ipt_state 1048 71 (autoclean)
iptable_mangle 2712 1 (autoclean)
ip_nat_irc 3472 0 (unused)
ip_nat_ftp 4240 0 (unused)
iptable_nat 21894 3 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 4400 1 [ip_nat_irc]
ip_conntrack_ftp 5424 1 [ip_nat_ftp]
ip_conntrack 28864 5 [ipt_conntrack ipt_MASQUERADE ipt_state
ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 2348 1 (autoclean)
ip_tables 15424 12 [ipt_MARK ipt_conntrack ipt_TOS
ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_state iptable_mangle iptable_nat
iptable_filter]
af_packet 16328 1 (autoclean)
sundance 16224 3 (autoclean)
eepro100 22228 2 (autoclean)
mii 3980 0 (autoclean) [sundance eepro100]
usb-uhci 26128 0 (unused)
usbcore 77324 1 [usb-uhci]
rtc 8776 0 (autoclean)
reiserfs 183540 5
^ permalink raw reply [flat|nested] 8+ messages in thread
* ip_conntrack module, advanced routing and multiple ISP
@ 2003-09-15 10:28 Matthieu Turpault
2003-09-16 11:02 ` Matthieu Turpault
2003-09-16 12:23 ` Cedric Blancher
0 siblings, 2 replies; 8+ messages in thread
From: Matthieu Turpault @ 2003-09-15 10:28 UTC (permalink / raw)
To: netfilter
Hi list,
I have a firewall with 4 NIC:
- 3 interfaces connected to the net (eth2, eth3, eth5) by
3 ISP;
- 1 interface connected to the internal network.
eth2 is connected to a router (10.0.1.1) which does masquerading.
Outcoming request (from the internal network to the net) are load
balanced to the 3 ISP (cf my configuration at the end of the mail).
All incoming request from the net to internal network by port
http, pop3, imap, ftp, smtp, https are correctly routed.
All outcoming request from the internal network to the net by
port http, pop3, imap are correctly routed.
The problem is that I can't connect from the internal network to
a ftp server of the net. In fact, I can connect to a ftp server
of the net but the "ls" command failed the most of the time (1/3).
I use passive mode.
Can you help me please ?
Thanks in advance
If I add the route by the command
ip route add <@ftpServer> via <@GATEWAY_ISP2>
it is OK
Here is my configuration (long but complete... I hope):
=============================================================
Routing table and rules
=============================================================
[root@firewall firewall]# ip ru l
0: from all lookup local
32763: from all fwmark 3 lookup 212
32764: from all fwmark 2 lookup 211
32765: from all fwmark 1 lookup 210
32766: from all lookup main
32767: from all lookup 253
--------------------------------------------------------------
[root@firewall firewall]# ip route list
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default
nexthop via 10.0.1.1 dev eth2 weight 1 onlink
nexthop via <@GATEWAY_ISP2> dev eth5 weight 1 onlink
nexthop via <@GATEWAY_ISP3> dev eth3 weight 1 onlink
--------------------------------------------------------------
[root@firewall firewall]# ip ro l t 210
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via 10.0.1.1 dev eth2
---------------------------------------------------------------
[root@firewall firewall]# ip ro l t 211
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via <@GATEWAY_ISP3> dev eth3
-----------------------------------------------------------------
[root@firewall firewall]# ip ro l t 212
<@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
10.0.3.0/30 dev eth5 scope link
10.0.1.0/24 dev eth2 scope link
10.1.0.0/24 dev eth0 scope link
<@NETMASK_ISP3>/24 dev eth3 scope link
127.0.0.0/8 dev lo scope link
default via <@GATEWAY_ISP2> dev eth5
==================================================================
IPTABLES tables
==================================================================
[root@firewall firewall]# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 531K packets, 34M bytes)
pkts bytes target prot opt in out source
destination
4496 293K net_dnat all -- eth2 * 0.0.0.0/0
0.0.0.0/0
39294 1956K net_dnat all -- eth3 * 0.0.0.0/0
0.0.0.0/0
18601 1158K net_dnat all -- eth5 * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 81932 packets, 4985K bytes)
pkts bytes target prot opt in out source
destination
182K 9122K eth3_masq all -- * eth3 0.0.0.0/0
0.0.0.0/0
166K 8193K eth5_masq all -- * eth5 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 32386 packets, 2508K bytes)
pkts bytes target prot opt in out source
destination
Chain eth3_masq (1 references)
pkts bytes target prot opt in out source
destination
159K 7823K MASQUERADE all -- * * 10.1.0.0/24
0.0.0.0/0
Chain eth5_masq (1 references)
pkts bytes target prot opt in out source
destination
159K 7825K MASQUERADE all -- * * 10.1.0.0/24
0.0.0.0/0
Chain net_dnat (3 references)
(...)
----------------------------------------------------------------
[root@firewall firewall]# iptables -L -v -n -t mangle
Chain PREROUTING (policy ACCEPT 4008K packets, 1940M bytes)
pkts bytes target prot opt in out source
destination
2223 168K MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 MARK set 0x1
9364 3221K MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:21 MARK set 0x1
0 0 MARK udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:20 MARK set 0x1
14916 1413K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst <@ISP2> MARK set 0x3
72454 17M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst <@ISP3> MARK set 0x2
94175 43M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigdst 10.0.1.10 MARK set 0x1
4008K 1940M pretos all -- * * 0.0.0.0/0
0.0.0.0/0
1282 108K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc <@ISP2> MARK set 0x3
1327 112K MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc <@ISP3> MARK set 0x2
65220 41M MARK all -- * * 0.0.0.0/0
0.0.0.0/0 ctorigsrc 10.1.0.10 MARK set 0x1
Chain INPUT (policy ACCEPT 154K packets, 16M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 3828K packets, 1923M bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 86903 packets, 5978K bytes)
pkts bytes target prot opt in out source
destination
7587 402K MARK all -- * * <@ISP2> 0.0.0.0/0
MARK set 0x3
24567 1440K MARK all -- * * <@ISP3> 0.0.0.0/0
MARK set 0x2
5332 418K MARK all -- * * 10.0.1.10
0.0.0.0/0 MARK set 0x1
86903 5978K outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 3890K packets, 1927M bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
712 61690 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
2708 438K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
8 320 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
22272 1209K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
19801 8705K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
2140 112K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
2223 168K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
9364 3221K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
8865 7140K TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
===============================================================
LOADED MODULES
===============================================================
[root@firewall firewall]# lsmod
Module Size Used by Not tainted
nls_iso8859-15 4060 0 (autoclean)
isofs 28856 0 (autoclean)
zlib_inflate 21764 0 (autoclean) [isofs]
vfat 12204 0 (autoclean)
fat 38072 0 (autoclean) [vfat]
ide-cd 33860 0 (autoclean)
cdrom 32736 0 (autoclean) [ide-cd]
ipt_MARK 1336 13 (autoclean)
ipt_conntrack 1528 6 (autoclean)
ipt_TOS 1592 12 (autoclean)
ipt_MASQUERADE 2200 20 (autoclean)
ipt_LOG 4312 11 (autoclean)
ipt_REJECT 3768 4 (autoclean)
ipt_state 1048 71 (autoclean)
iptable_mangle 2712 1 (autoclean)
ip_nat_irc 3472 0 (unused)
ip_nat_ftp 4240 0 (unused)
iptable_nat 21894 3 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
ip_conntrack_irc 4400 1 [ip_nat_irc]
ip_conntrack_ftp 5424 1 [ip_nat_ftp]
ip_conntrack 28864 5 [ipt_conntrack ipt_MASQUERADE ipt_state
ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
iptable_filter 2348 1 (autoclean)
ip_tables 15424 12 [ipt_MARK ipt_conntrack ipt_TOS
ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_state iptable_mangle iptable_nat
iptable_filter]
af_packet 16328 1 (autoclean)
sundance 16224 3 (autoclean)
eepro100 22228 2 (autoclean)
mii 3980 0 (autoclean) [sundance eepro100]
usb-uhci 26128 0 (unused)
usbcore 77324 1 [usb-uhci]
rtc 8776 0 (autoclean)
reiserfs 183540 5
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: ip_conntrack module, advanced routing and multiple ISP
2003-09-15 10:28 ip_conntrack module, advanced routing and multiple ISP Matthieu Turpault
@ 2003-09-16 11:02 ` Matthieu Turpault
2003-09-16 11:25 ` Mickael DILY
` (2 more replies)
2003-09-16 12:23 ` Cedric Blancher
1 sibling, 3 replies; 8+ messages in thread
From: Matthieu Turpault @ 2003-09-16 11:02 UTC (permalink / raw)
To: netfilter
Who can share his opinion on this matter?
Receiving *no answer at all* usually means one of 2 things:
1) extremely ignorant question, not even worth a lousy RTFM reply :-(
2) brilliant question, nobody ever came up with such a marvelous idea :-)
I don't think it's 2), so if the answer is 1), then please enlighten me!
Thanks in advance
M. T.
> -----Message d'origine-----
> De : netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org]De la part de Matthieu
> Turpault
> Envoyé : lundi 15 septembre 2003 12:28
> À : netfilter@lists.netfilter.org
> Objet : ip_conntrack module, advanced routing and multiple ISP
>
>
> Hi list,
>
> I have a firewall with 4 NIC:
> - 3 interfaces connected to the net (eth2, eth3, eth5) by
> 3 ISP;
> - 1 interface connected to the internal network.
>
> eth2 is connected to a router (10.0.1.1) which does masquerading.
>
> Outcoming request (from the internal network to the net) are load
> balanced to the 3 ISP (cf my configuration at the end of the mail).
>
> All incoming request from the net to internal network by port
> http, pop3, imap, ftp, smtp, https are correctly routed.
>
> All outcoming request from the internal network to the net by
> port http, pop3, imap are correctly routed.
>
> The problem is that I can't connect from the internal network to
> a ftp server of the net. In fact, I can connect to a ftp server
> of the net but the "ls" command failed the most of the time (1/3).
> I use passive mode.
>
> Can you help me please ?
>
> Thanks in advance
>
>
> If I add the route by the command
> ip route add <@ftpServer> via <@GATEWAY_ISP2>
> it is OK
>
> Here is my configuration (long but complete... I hope):
>
>
> =============================================================
> Routing table and rules
> =============================================================
>
> [root@firewall firewall]# ip ru l
> 0: from all lookup local
> 32763: from all fwmark 3 lookup 212
> 32764: from all fwmark 2 lookup 211
> 32765: from all fwmark 1 lookup 210
> 32766: from all lookup main
> 32767: from all lookup 253
>
> --------------------------------------------------------------
> [root@firewall firewall]# ip route list
> <@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
> 10.0.3.0/30 dev eth5 scope link
> 10.0.1.0/24 dev eth2 scope link
> 10.1.0.0/24 dev eth0 scope link
> <@NETMASK_ISP3>/24 dev eth3 scope link
> 127.0.0.0/8 dev lo scope link
> default
> nexthop via 10.0.1.1 dev eth2 weight 1 onlink
> nexthop via <@GATEWAY_ISP2> dev eth5 weight 1 onlink
> nexthop via <@GATEWAY_ISP3> dev eth3 weight 1 onlink
> --------------------------------------------------------------
> [root@firewall firewall]# ip ro l t 210
> <@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
> 10.0.3.0/30 dev eth5 scope link
> 10.0.1.0/24 dev eth2 scope link
> 10.1.0.0/24 dev eth0 scope link
> <@NETMASK_ISP3>/24 dev eth3 scope link
> 127.0.0.0/8 dev lo scope link
> default via 10.0.1.1 dev eth2
> ---------------------------------------------------------------
> [root@firewall firewall]# ip ro l t 211
> <@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
> 10.0.3.0/30 dev eth5 scope link
> 10.0.1.0/24 dev eth2 scope link
> 10.1.0.0/24 dev eth0 scope link
> <@NETMASK_ISP3>/24 dev eth3 scope link
> 127.0.0.0/8 dev lo scope link
> default via <@GATEWAY_ISP3> dev eth3
> -----------------------------------------------------------------
> [root@firewall firewall]# ip ro l t 212
> <@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
> 10.0.3.0/30 dev eth5 scope link
> 10.0.1.0/24 dev eth2 scope link
> 10.1.0.0/24 dev eth0 scope link
> <@NETMASK_ISP3>/24 dev eth3 scope link
> 127.0.0.0/8 dev lo scope link
> default via <@GATEWAY_ISP2> dev eth5
>
> ==================================================================
> IPTABLES tables
> ==================================================================
>
> [root@firewall firewall]# iptables -L -v -n -t nat
> Chain PREROUTING (policy ACCEPT 531K packets, 34M bytes)
> pkts bytes target prot opt in out source
> destination
> 4496 293K net_dnat all -- eth2 * 0.0.0.0/0
> 0.0.0.0/0
> 39294 1956K net_dnat all -- eth3 * 0.0.0.0/0
> 0.0.0.0/0
> 18601 1158K net_dnat all -- eth5 * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain POSTROUTING (policy ACCEPT 81932 packets, 4985K bytes)
> pkts bytes target prot opt in out source
> destination
> 182K 9122K eth3_masq all -- * eth3 0.0.0.0/0
> 0.0.0.0/0
> 166K 8193K eth5_masq all -- * eth5 0.0.0.0/0
> 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT 32386 packets, 2508K bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain eth3_masq (1 references)
> pkts bytes target prot opt in out source
> destination
> 159K 7823K MASQUERADE all -- * * 10.1.0.0/24
> 0.0.0.0/0
>
>
> Chain eth5_masq (1 references)
> pkts bytes target prot opt in out source
> destination
> 159K 7825K MASQUERADE all -- * * 10.1.0.0/24
> 0.0.0.0/0
>
>
> Chain net_dnat (3 references)
> (...)
> ----------------------------------------------------------------
>
> [root@firewall firewall]# iptables -L -v -n -t mangle
> Chain PREROUTING (policy ACCEPT 4008K packets, 1940M bytes)
> pkts bytes target prot opt in out source
> destination
> 2223 168K MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:21 MARK set 0x1
> 9364 3221K MARK tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:20 MARK set 0x1
> 0 0 MARK udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:21 MARK set 0x1
> 0 0 MARK udp -- * * 0.0.0.0/0
> 0.0.0.0/0 udp spt:20 MARK set 0x1
> 14916 1413K MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctorigdst <@ISP2> MARK set 0x3
> 72454 17M MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctorigdst <@ISP3> MARK set 0x2
> 94175 43M MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctorigdst 10.0.1.10 MARK set 0x1
> 4008K 1940M pretos all -- * * 0.0.0.0/0
> 0.0.0.0/0
> 1282 108K MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctorigsrc <@ISP2> MARK set 0x3
> 1327 112K MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctorigsrc <@ISP3> MARK set 0x2
> 65220 41M MARK all -- * * 0.0.0.0/0
> 0.0.0.0/0 ctorigsrc 10.1.0.10 MARK set 0x1
>
> Chain INPUT (policy ACCEPT 154K packets, 16M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain FORWARD (policy ACCEPT 3828K packets, 1923M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain OUTPUT (policy ACCEPT 86903 packets, 5978K bytes)
> pkts bytes target prot opt in out source
> destination
> 7587 402K MARK all -- * * <@ISP2> 0.0.0.0/0
> MARK set 0x3
> 24567 1440K MARK all -- * * <@ISP3> 0.0.0.0/0
> MARK set 0x2
> 5332 418K MARK all -- * * 10.0.1.10
> 0.0.0.0/0 MARK set 0x1
> 86903 5978K outtos all -- * * 0.0.0.0/0
> 0.0.0.0/0
>
> Chain POSTROUTING (policy ACCEPT 3890K packets, 1927M bytes)
> pkts bytes target prot opt in out source
> destination
>
> Chain outtos (1 references)
> pkts bytes target prot opt in out source
> destination
> 712 61690 TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22 TOS set 0x10
> 2708 438K TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:22 TOS set 0x10
> 8 320 TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:21 TOS set 0x10
> 0 0 TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:21 TOS set 0x10
> 0 0 TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:20 TOS set 0x08
> 0 0 TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:20 TOS set 0x08
>
> Chain pretos (1 references)
> pkts bytes target prot opt in out source
> destination
> 22272 1209K TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:22 TOS set 0x10
> 19801 8705K TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:22 TOS set 0x10
> 2140 112K TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:21 TOS set 0x10
> 2223 168K TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:21 TOS set 0x10
> 9364 3221K TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp spt:20 TOS set 0x08
> 8865 7140K TOS tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:20 TOS set 0x08
>
> ===============================================================
> LOADED MODULES
> ===============================================================
>
> [root@firewall firewall]# lsmod
> Module Size Used by Not tainted
> nls_iso8859-15 4060 0 (autoclean)
> isofs 28856 0 (autoclean)
> zlib_inflate 21764 0 (autoclean) [isofs]
> vfat 12204 0 (autoclean)
> fat 38072 0 (autoclean) [vfat]
> ide-cd 33860 0 (autoclean)
> cdrom 32736 0 (autoclean) [ide-cd]
> ipt_MARK 1336 13 (autoclean)
> ipt_conntrack 1528 6 (autoclean)
> ipt_TOS 1592 12 (autoclean)
> ipt_MASQUERADE 2200 20 (autoclean)
> ipt_LOG 4312 11 (autoclean)
> ipt_REJECT 3768 4 (autoclean)
> ipt_state 1048 71 (autoclean)
> iptable_mangle 2712 1 (autoclean)
> ip_nat_irc 3472 0 (unused)
> ip_nat_ftp 4240 0 (unused)
> iptable_nat 21894 3 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
> ip_conntrack_irc 4400 1 [ip_nat_irc]
> ip_conntrack_ftp 5424 1 [ip_nat_ftp]
> ip_conntrack 28864 5 [ipt_conntrack ipt_MASQUERADE ipt_state
> ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
> iptable_filter 2348 1 (autoclean)
> ip_tables 15424 12 [ipt_MARK ipt_conntrack ipt_TOS
> ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_state iptable_mangle iptable_nat
> iptable_filter]
> af_packet 16328 1 (autoclean)
> sundance 16224 3 (autoclean)
> eepro100 22228 2 (autoclean)
> mii 3980 0 (autoclean) [sundance eepro100]
> usb-uhci 26128 0 (unused)
> usbcore 77324 1 [usb-uhci]
> rtc 8776 0 (autoclean)
> reiserfs 183540 5
>
>
>
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: ip_conntrack module, advanced routing and multiple ISP
2003-09-16 11:02 ` Matthieu Turpault
@ 2003-09-16 11:25 ` Mickael DILY
2003-09-16 11:30 ` Roberto Nibali
2003-09-16 11:57 ` Ray Leach
2 siblings, 0 replies; 8+ messages in thread
From: Mickael DILY @ 2003-09-16 11:25 UTC (permalink / raw)
To: Matthieu Turpault, netfilter
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
3 ISP... Wow, personally, i can't answer you, Mathieu (hi french people ;-) I
never seen a such installation. Maybe someone in this list, but ça va être
dur ;-). Just to be curious, how high is your bandwith, and what are the
specs of your computer(s) ?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/ZvM6zEzekoYhlpsRAjcYAKDaM6hMacP1IYJq0O1faXUqRkMevQCgt2BF
EXoh8fbAOTU8z80brH3HkKc=
=QRzz
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: ip_conntrack module, advanced routing and multiple ISP
2003-09-16 11:02 ` Matthieu Turpault
2003-09-16 11:25 ` Mickael DILY
@ 2003-09-16 11:30 ` Roberto Nibali
2003-09-16 11:57 ` Ray Leach
2 siblings, 0 replies; 8+ messages in thread
From: Roberto Nibali @ 2003-09-16 11:30 UTC (permalink / raw)
To: Matthieu Turpault, netfilter
Matthieu Turpault wrote:
> Who can share his opinion on this matter?
>
> Receiving *no answer at all* usually means one of 2 things:
I doubt it in this case.
> 1) extremely ignorant question, not even worth a lousy RTFM reply :-(
> 2) brilliant question, nobody ever came up with such a marvelous idea :-)
<OT>
3) most people don't get paid to do support on MLs, so they choose which
reports they want to reply to; yours seems complicated a first sight
so most people don't bother reading it through.
4) the question maybe is not asked in an intelligent way
5 ...) <add reasons yourself>
</OT>
>> I have a firewall with 4 NIC:
>> - 3 interfaces connected to the net (eth2, eth3, eth5) by
>> 3 ISP;
>> - 1 interface connected to the internal network.
>>
>> eth2 is connected to a router (10.0.1.1) which does masquerading.
>>
>> Outcoming request (from the internal network to the net) are load
>> balanced to the 3 ISP (cf my configuration at the end of the mail).
>>
>> All incoming request from the net to internal network by port
>> http, pop3, imap, ftp, smtp, https are correctly routed.
Ok.
>> All outcoming request from the internal network to the net by
>> port http, pop3, imap are correctly routed.
Ok
>> The problem is that I can't connect from the internal network to
>> a ftp server of the net. In fact, I can connect to a ftp server
>> of the net but the "ls" command failed the most of the time (1/3).
>> I use passive mode.
I suspect it's a persistency problem due to the nature of how ftp works.
>> If I add the route by the command
>> ip route add <@ftpServer> via <@GATEWAY_ISP2>
>> it is OK
Yes, this could be a persistency problem. You're doing your load
balancing on L3 with the iproute framework. Unfortunately the current
routing implementation to date has (AFAIK) no means to provide
persistency for connections.
>>[root@firewall firewall]# ip route list
>><@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
>>10.0.3.0/30 dev eth5 scope link
>>10.0.1.0/24 dev eth2 scope link
>>10.1.0.0/24 dev eth0 scope link
>><@NETMASK_ISP3>/24 dev eth3 scope link
>>127.0.0.0/8 dev lo scope link
>>default
>> nexthop via 10.0.1.1 dev eth2 weight 1 onlink
>> nexthop via <@GATEWAY_ISP2> dev eth5 weight 1 onlink
>> nexthop via <@GATEWAY_ISP3> dev eth3 weight 1 onlink
Those lines could be the culprit. When you connect to an ftp server you
might go over one line, then for the DATA connection you will go over
the other and thus you'll confuse netfilter. But I haven't looked at
your whole configuration as I do not have enough time.
A tcpdump session will most probably reveil the real problem to you. If
not, add -j LOG statements to your packet filter configuration and
figure out where the packets sink through your mesh of rules.
HTH and best regards,
Roberto Nibali, ratz
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: ip_conntrack module, advanced routing and multiple ISP
2003-09-16 11:02 ` Matthieu Turpault
2003-09-16 11:25 ` Mickael DILY
2003-09-16 11:30 ` Roberto Nibali
@ 2003-09-16 11:57 ` Ray Leach
2 siblings, 0 replies; 8+ messages in thread
From: Ray Leach @ 2003-09-16 11:57 UTC (permalink / raw)
To: Netfilter Mailing List
[-- Attachment #1: Type: text/plain, Size: 12526 bytes --]
On Tue, 2003-09-16 at 13:02, Matthieu Turpault wrote:
> Who can share his opinion on this matter?
>
> Receiving *no answer at all* usually means one of 2 things:
> 1) extremely ignorant question, not even worth a lousy RTFM reply :-(
> 2) brilliant question, nobody ever came up with such a marvelous idea :-)
>
or
3) It's not something that has one answer ...
> I don't think it's 2), so if the answer is 1), then please enlighten me!
>
> Thanks in advance
>
> M. T.
>
> > -----Message d'origine-----
> > De : netfilter-admin@lists.netfilter.org
> > [mailto:netfilter-admin@lists.netfilter.org]De la part de Matthieu
> > Turpault
> > Envoyé : lundi 15 septembre 2003 12:28
> > À : netfilter@lists.netfilter.org
> > Objet : ip_conntrack module, advanced routing and multiple ISP
> >
> >
> > Hi list,
> >
> > I have a firewall with 4 NIC:
> > - 3 interfaces connected to the net (eth2, eth3, eth5) by
> > 3 ISP;
> > - 1 interface connected to the internal network.
> >
What happened to eth1 and eth0 ?
> > eth2 is connected to a router (10.0.1.1) which does masquerading.
> >
> > Outcoming request (from the internal network to the net) are load
> > balanced to the 3 ISP (cf my configuration at the end of the mail).
> >
> > All incoming request from the net to internal network by port
> > http, pop3, imap, ftp, smtp, https are correctly routed.
> >
> > All outcoming request from the internal network to the net by
> > port http, pop3, imap are correctly routed.
> >
> > The problem is that I can't connect from the internal network to
> > a ftp server of the net. In fact, I can connect to a ftp server
> > of the net but the "ls" command failed the most of the time (1/3).
> > I use passive mode.
> >
> > Can you help me please ?
> >
> > Thanks in advance
> >
> >
> > If I add the route by the command
> > ip route add <@ftpServer> via <@GATEWAY_ISP2>
> > it is OK
> >
Your rules below suggest that without this route, the traffic would be
going out of eth3. If the return traffic is routed in via eth2 or eth5,
it will most likely be ignored because that would be a routing loop
(possibly detected by one of your isps).
Maybe that helps?
> > Here is my configuration (long but complete... I hope):
> >
> >
> > =============================================================
> > Routing table and rules
> > =============================================================
> >
> > [root@firewall firewall]# ip ru l
> > 0: from all lookup local
> > 32763: from all fwmark 3 lookup 212
> > 32764: from all fwmark 2 lookup 211
> > 32765: from all fwmark 1 lookup 210
> > 32766: from all lookup main
> > 32767: from all lookup 253
> >
> > --------------------------------------------------------------
> > [root@firewall firewall]# ip route list
> > <@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
> > 10.0.3.0/30 dev eth5 scope link
> > 10.0.1.0/24 dev eth2 scope link
> > 10.1.0.0/24 dev eth0 scope link
> > <@NETMASK_ISP3>/24 dev eth3 scope link
> > 127.0.0.0/8 dev lo scope link
> > default
> > nexthop via 10.0.1.1 dev eth2 weight 1 onlink
> > nexthop via <@GATEWAY_ISP2> dev eth5 weight 1 onlink
> > nexthop via <@GATEWAY_ISP3> dev eth3 weight 1 onlink
> > --------------------------------------------------------------
> > [root@firewall firewall]# ip ro l t 210
> > <@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
> > 10.0.3.0/30 dev eth5 scope link
> > 10.0.1.0/24 dev eth2 scope link
> > 10.1.0.0/24 dev eth0 scope link
> > <@NETMASK_ISP3>/24 dev eth3 scope link
> > 127.0.0.0/8 dev lo scope link
> > default via 10.0.1.1 dev eth2
> > ---------------------------------------------------------------
> > [root@firewall firewall]# ip ro l t 211
> > <@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
> > 10.0.3.0/30 dev eth5 scope link
> > 10.0.1.0/24 dev eth2 scope link
> > 10.1.0.0/24 dev eth0 scope link
> > <@NETMASK_ISP3>/24 dev eth3 scope link
> > 127.0.0.0/8 dev lo scope link
> > default via <@GATEWAY_ISP3> dev eth3
> > -----------------------------------------------------------------
> > [root@firewall firewall]# ip ro l t 212
> > <@NETMASK_ISP2>/30 dev eth5 proto kernel scope link src <@ISP2>
> > 10.0.3.0/30 dev eth5 scope link
> > 10.0.1.0/24 dev eth2 scope link
> > 10.1.0.0/24 dev eth0 scope link
> > <@NETMASK_ISP3>/24 dev eth3 scope link
> > 127.0.0.0/8 dev lo scope link
> > default via <@GATEWAY_ISP2> dev eth5
> >
> > ==================================================================
> > IPTABLES tables
> > ==================================================================
> >
> > [root@firewall firewall]# iptables -L -v -n -t nat
> > Chain PREROUTING (policy ACCEPT 531K packets, 34M bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 4496 293K net_dnat all -- eth2 * 0.0.0.0/0
> > 0.0.0.0/0
> > 39294 1956K net_dnat all -- eth3 * 0.0.0.0/0
> > 0.0.0.0/0
> > 18601 1158K net_dnat all -- eth5 * 0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain POSTROUTING (policy ACCEPT 81932 packets, 4985K bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 182K 9122K eth3_masq all -- * eth3 0.0.0.0/0
> > 0.0.0.0/0
> > 166K 8193K eth5_masq all -- * eth5 0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain OUTPUT (policy ACCEPT 32386 packets, 2508K bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain eth3_masq (1 references)
> > pkts bytes target prot opt in out source
> > destination
> > 159K 7823K MASQUERADE all -- * * 10.1.0.0/24
> > 0.0.0.0/0
> >
> >
> > Chain eth5_masq (1 references)
> > pkts bytes target prot opt in out source
> > destination
> > 159K 7825K MASQUERADE all -- * * 10.1.0.0/24
> > 0.0.0.0/0
> >
> >
> > Chain net_dnat (3 references)
> > (...)
> > ----------------------------------------------------------------
> >
> > [root@firewall firewall]# iptables -L -v -n -t mangle
> > Chain PREROUTING (policy ACCEPT 4008K packets, 1940M bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 2223 168K MARK tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:21 MARK set 0x1
> > 9364 3221K MARK tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:20 MARK set 0x1
> > 0 0 MARK udp -- * * 0.0.0.0/0
> > 0.0.0.0/0 udp spt:21 MARK set 0x1
> > 0 0 MARK udp -- * * 0.0.0.0/0
> > 0.0.0.0/0 udp spt:20 MARK set 0x1
> > 14916 1413K MARK all -- * * 0.0.0.0/0
> > 0.0.0.0/0 ctorigdst <@ISP2> MARK set 0x3
> > 72454 17M MARK all -- * * 0.0.0.0/0
> > 0.0.0.0/0 ctorigdst <@ISP3> MARK set 0x2
> > 94175 43M MARK all -- * * 0.0.0.0/0
> > 0.0.0.0/0 ctorigdst 10.0.1.10 MARK set 0x1
> > 4008K 1940M pretos all -- * * 0.0.0.0/0
> > 0.0.0.0/0
> > 1282 108K MARK all -- * * 0.0.0.0/0
> > 0.0.0.0/0 ctorigsrc <@ISP2> MARK set 0x3
> > 1327 112K MARK all -- * * 0.0.0.0/0
> > 0.0.0.0/0 ctorigsrc <@ISP3> MARK set 0x2
> > 65220 41M MARK all -- * * 0.0.0.0/0
> > 0.0.0.0/0 ctorigsrc 10.1.0.10 MARK set 0x1
> >
> > Chain INPUT (policy ACCEPT 154K packets, 16M bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain FORWARD (policy ACCEPT 3828K packets, 1923M bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain OUTPUT (policy ACCEPT 86903 packets, 5978K bytes)
> > pkts bytes target prot opt in out source
> > destination
> > 7587 402K MARK all -- * * <@ISP2> 0.0.0.0/0
> > MARK set 0x3
> > 24567 1440K MARK all -- * * <@ISP3> 0.0.0.0/0
> > MARK set 0x2
> > 5332 418K MARK all -- * * 10.0.1.10
> > 0.0.0.0/0 MARK set 0x1
> > 86903 5978K outtos all -- * * 0.0.0.0/0
> > 0.0.0.0/0
> >
> > Chain POSTROUTING (policy ACCEPT 3890K packets, 1927M bytes)
> > pkts bytes target prot opt in out source
> > destination
> >
> > Chain outtos (1 references)
> > pkts bytes target prot opt in out source
> > destination
> > 712 61690 TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp dpt:22 TOS set 0x10
> > 2708 438K TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:22 TOS set 0x10
> > 8 320 TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp dpt:21 TOS set 0x10
> > 0 0 TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:21 TOS set 0x10
> > 0 0 TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:20 TOS set 0x08
> > 0 0 TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp dpt:20 TOS set 0x08
> >
> > Chain pretos (1 references)
> > pkts bytes target prot opt in out source
> > destination
> > 22272 1209K TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp dpt:22 TOS set 0x10
> > 19801 8705K TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:22 TOS set 0x10
> > 2140 112K TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp dpt:21 TOS set 0x10
> > 2223 168K TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:21 TOS set 0x10
> > 9364 3221K TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp spt:20 TOS set 0x08
> > 8865 7140K TOS tcp -- * * 0.0.0.0/0
> > 0.0.0.0/0 tcp dpt:20 TOS set 0x08
> >
> > ===============================================================
> > LOADED MODULES
> > ===============================================================
> >
> > [root@firewall firewall]# lsmod
> > Module Size Used by Not tainted
> > nls_iso8859-15 4060 0 (autoclean)
> > isofs 28856 0 (autoclean)
> > zlib_inflate 21764 0 (autoclean) [isofs]
> > vfat 12204 0 (autoclean)
> > fat 38072 0 (autoclean) [vfat]
> > ide-cd 33860 0 (autoclean)
> > cdrom 32736 0 (autoclean) [ide-cd]
> > ipt_MARK 1336 13 (autoclean)
> > ipt_conntrack 1528 6 (autoclean)
> > ipt_TOS 1592 12 (autoclean)
> > ipt_MASQUERADE 2200 20 (autoclean)
> > ipt_LOG 4312 11 (autoclean)
> > ipt_REJECT 3768 4 (autoclean)
> > ipt_state 1048 71 (autoclean)
> > iptable_mangle 2712 1 (autoclean)
> > ip_nat_irc 3472 0 (unused)
> > ip_nat_ftp 4240 0 (unused)
> > iptable_nat 21894 3 [ipt_MASQUERADE ip_nat_irc ip_nat_ftp]
> > ip_conntrack_irc 4400 1 [ip_nat_irc]
> > ip_conntrack_ftp 5424 1 [ip_nat_ftp]
> > ip_conntrack 28864 5 [ipt_conntrack ipt_MASQUERADE ipt_state
> > ip_nat_irc ip_nat_ftp iptable_nat ip_conntrack_irc ip_conntrack_ftp]
> > iptable_filter 2348 1 (autoclean)
> > ip_tables 15424 12 [ipt_MARK ipt_conntrack ipt_TOS
> > ipt_MASQUERADE ipt_LOG ipt_REJECT ipt_state iptable_mangle iptable_nat
> > iptable_filter]
> > af_packet 16328 1 (autoclean)
> > sundance 16224 3 (autoclean)
> > eepro100 22228 2 (autoclean)
> > mii 3980 0 (autoclean) [sundance eepro100]
> > usb-uhci 26128 0 (unused)
> > usbcore 77324 1 [usb-uhci]
> > rtc 8776 0 (autoclean)
> > reiserfs 183540 5
> >
> >
> >
> >
--
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28
--
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 198 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: ip_conntrack module, advanced routing and multiple ISP
2003-09-15 10:28 ip_conntrack module, advanced routing and multiple ISP Matthieu Turpault
2003-09-16 11:02 ` Matthieu Turpault
@ 2003-09-16 12:23 ` Cedric Blancher
2003-09-17 9:13 ` Matthieu Turpault
1 sibling, 1 reply; 8+ messages in thread
From: Cedric Blancher @ 2003-09-16 12:23 UTC (permalink / raw)
To: Matthieu Turpault; +Cc: netfilter
I do not have much time, but I'll give you my first thought about your
problem.
Le lun 15/09/2003 à 12:28, Matthieu Turpault a écrit :
> The problem is that I can't connect from the internal network to
> a ftp server of the net. In fact, I can connect to a ftp server
> of the net but the "ls" command failed the most of the time (1/3).
> I use passive mode.
I think command connection and data connection are not routed through
the same ISP and thus are received by FTP server from 2 different IPs,
which means data connection SYN is droped.
This suppose you are load balancing using some round robbin like stuff,
such as nth match (I really do not have time to examine your script
now), and that 1/3 times data connection is set up with correct IP as
source.
> If I add the route by the command
> ip route add <@ftpServer> via <@GATEWAY_ISP2>
> it is OK
This tends to confirm the above. You should investigate this routing
stuff.
Btw, you should use CONNMARK target instead of MARK target to have your
packets marked.
cbr@elendil:~$ iptables -j CONNMARK --help
iptables v1.2.8
[...]
CONNMARK target v1.2.8 options:
--set-mark value Set conntrack mark value
--save-mark Save the packet nfmark on the connection
--restore-mark Restore saved nfmark value
The connmark is a mark you set for the whole connection. This means that
once you've set a mark on a packet, every following packet identified by
conntrack engine as belonging to the same connection (ESTABLISHED or
RELATED) is marked with the same value. You also have corresponding
match, connmark. With -save-mark and --restore-mark you can switch
between nfmark (MARK/mark target and match) and connmark. See :
http://www.netfilter.org/documentation/pomlist/pom-extra.html#CONNMARK
This mean you're sure that data connection is marked the same way as
corresponding command connection, and thus is routed the same way.
--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: ip_conntrack module, advanced routing and multiple ISP
2003-09-16 12:23 ` Cedric Blancher
@ 2003-09-17 9:13 ` Matthieu Turpault
0 siblings, 0 replies; 8+ messages in thread
From: Matthieu Turpault @ 2003-09-17 9:13 UTC (permalink / raw)
To: Cedric Blancher; +Cc: netfilter
OK, thanks for all these answers.
I am sorry if my previous mail is too agressive: my english is not
sufficiently rich to transmit exactly what I feel. I have spent a lot of
time to this "FTP problem" and still have no answer. Grrr.... ;)
It *is* a routing problem. I think that the CONNMARK module could resolve it
but I had to patch my kernel to test it. When I will have time, I try to do
that.
Best regards
Matthieu Turpault
> -----Message d'origine-----
> De : Cedric Blancher [mailto:blancher@cartel-securite.fr]
> Envoyé : mardi 16 septembre 2003 14:23
> À : Matthieu Turpault
> Cc : netfilter@lists.netfilter.org
> Objet : Re: ip_conntrack module, advanced routing and multiple ISP
>
>
> I do not have much time, but I'll give you my first thought about your
> problem.
>
> Le lun 15/09/2003 à 12:28, Matthieu Turpault a écrit :
> > The problem is that I can't connect from the internal network to
> > a ftp server of the net. In fact, I can connect to a ftp server
> > of the net but the "ls" command failed the most of the time (1/3).
> > I use passive mode.
>
> I think command connection and data connection are not routed through
> the same ISP and thus are received by FTP server from 2 different IPs,
> which means data connection SYN is droped.
>
> This suppose you are load balancing using some round robbin like stuff,
> such as nth match (I really do not have time to examine your script
> now), and that 1/3 times data connection is set up with correct IP as
> source.
>
> > If I add the route by the command
> > ip route add <@ftpServer> via <@GATEWAY_ISP2>
> > it is OK
>
> This tends to confirm the above. You should investigate this routing
> stuff.
>
>
> Btw, you should use CONNMARK target instead of MARK target to have your
> packets marked.
>
> cbr@elendil:~$ iptables -j CONNMARK --help
> iptables v1.2.8
> [...]
> CONNMARK target v1.2.8 options:
> --set-mark value Set conntrack mark value
> --save-mark Save the packet nfmark on the connection
> --restore-mark Restore saved nfmark value
>
> The connmark is a mark you set for the whole connection. This means that
> once you've set a mark on a packet, every following packet identified by
> conntrack engine as belonging to the same connection (ESTABLISHED or
> RELATED) is marked with the same value. You also have corresponding
> match, connmark. With -save-mark and --restore-mark you can switch
> between nfmark (MARK/mark target and match) and connmark. See :
>
> http://www.netfilter.org/documentation/pomlist/pom-extra.html#CONNMARK
>
> This mean you're sure that data connection is marked the same way as
> corresponding command connection, and thus is routed the same way.
>
> --
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2003-09-17 9:13 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-15 10:28 ip_conntrack module, advanced routing and multiple ISP Matthieu Turpault
2003-09-16 11:02 ` Matthieu Turpault
2003-09-16 11:25 ` Mickael DILY
2003-09-16 11:30 ` Roberto Nibali
2003-09-16 11:57 ` Ray Leach
2003-09-16 12:23 ` Cedric Blancher
2003-09-17 9:13 ` Matthieu Turpault
-- strict thread matches above, loose matches on Subject: below --
2003-09-15 8:55 Matthieu Turpault
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.