IPTABLES + IPROUTE2

IPTABLES + IPROUTE2

[L.Malinov]

Hi Antony,

According to the iproute2 manual, I can't do routing based on a destination
port but based on the fwmark. So that's why I think I can achieve that alone
with iproute2 only and I need iptables to put the mark as well. But in this
case I'm not sure that this can be achieved on a box with one network card
only or for traffic generated lacaly from the box. Any suggestions?

Regards

L.Malinov


On Saturday 24 January 2004 12:57 pm, L.Malinov wrote:

> Hi Antony,
>
> In my situation is not possible to set router1 as a default route because
> the machine acts as a mail server as well and the mail needs to go through
> router1.

Okay then - in that case I suggest you use iproute2 to route all TCP port 80
packets via router2, all TCP port 25 packets via router1, and decide what
you
want to do with everything else such as DNS.   I don't see that there should
be any need to MARK packets - just route based on the destination port
number.

see http://lartc.org for more details of iproute2 and what it can do.

Regards,

Antony.

--
Wanted: telepath.   You know where to apply.

                                                     Please reply to the
list;
                                                           please don't CC
me.

Re: IPTABLES + IPROUTE2

[Ray Leach]

[-- Attachment #1: Type: text/plain, Size: 832 bytes --]

On Fri, 2004-01-30 at 11:39, L.Malinov wrote:
> Hi Antony,
> 
> According to the iproute2 manual, I can't do routing based on a destination
> port but based on the fwmark. So that's why I think I can achieve that alone
> with iproute2 only and I need iptables to put the mark as well. But in this
> case I'm not sure that this can be achieved on a box with one network card
> only or for traffic generated lacaly from the box. Any suggestions?
<<snip>>
What about the ROUTE patch in POM? You can basically route based on any
criteria possible with iptables.

-- 
--
Raymond Leach <raymondl@knowledgefactory.co.za>
Network Support Specialist
http://www.knowledgefactory.co.za
"lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import"
Key fingerprint = 7209 A695 9EE0 E971 A9AD  00EE 8757 EE47 F06F FB28
--

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

IPTABLES + IPROUTE2

[L.Malinov]

Hi Antony,

In my situation is not possible to set router1 as a default route because
the machine acts as a mail server as well and the mail needs to go through
router1.

Re: IPTABLES + IPROUTE2

[Antony Stone]

On Saturday 24 January 2004 12:57 pm, L.Malinov wrote:

> Hi Antony,
>
> In my situation is not possible to set router1 as a default route because
> the machine acts as a mail server as well and the mail needs to go through
> router1.

Okay then - in that case I suggest you use iproute2 to route all TCP port 80 
packets via router2, all TCP port 25 packets via router1, and decide what you 
want to do with everything else such as DNS.   I don't see that there should 
be any need to MARK packets - just route based on the destination port 
number.

see http://lartc.org for more details of iproute2 and what it can do.

Regards,

Antony.

-- 
Wanted: telepath.   You know where to apply.

                                                     Please reply to the list;
                                                           please don't CC me.

IPTABLES + IPROUTE2

[L.Malinov]

Hi there,

I have the following configuration: Local Net with Linux RedHat 9.0 Squid
proxy server (with one net card) and 2 gateways - router1 and router2. The
default gateway for everyone including the proxy is router1. I'd like, the
http request from the local net sent to the proxy to be forwarded to the
Internet via router2. I'm trying the following configuration:

iptables -A OUTPUT -o eth0 -t mangle -p tcp --dport 80 -j MARK --set-mark 2
echo 202 www.out >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table www.out
ip route add default via router2 dev eth0 table www.out

It looks like the packets go through the right chain under iptables and get
marked, however after that they still don't get forwarded via router2 but
router1. What could be wrong in this config and is this possible to achieve
at all with the above configuration?

Regards

L.Malinov

Re: IPTABLES + IPROUTE2

[Antony Stone]

On Friday 23 January 2004 11:44 am, L.Malinov wrote:

> Hi there,
>
> I have the following configuration: Local Net with Linux RedHat 9.0 Squid
> proxy server (with one net card) and 2 gateways - router1 and router2. The
> default gateway for everyone including the proxy is router1. I'd like, the
> http request from the local net sent to the proxy to be forwarded to the
> Internet via router2.

I'd suggest the simplest way to achieve this is to set the default route on 
the proxy server to be router2.

Antony.

-- 
Having been asked for a reference for this man,
I can confirm that you will be very lucky indeed if you can get him to work 
for you.

                                                     Please reply to the list;
                                                           please don't CC me.

Re: IPTABLES + IPROUTE2

[Ramin Dousti]

On Fri, Jan 23, 2004 at 01:44:38PM +0200, L.Malinov wrote:

> Hi there,
> 
> I have the following configuration: Local Net with Linux RedHat 9.0 Squid
> proxy server (with one net card) and 2 gateways - router1 and router2. The
> default gateway for everyone including the proxy is router1. I'd like, the
> http request from the local net sent to the proxy to be forwarded to the
> Internet via router2. I'm trying the following configuration:
> 
> iptables -A OUTPUT -o eth0 -t mangle -p tcp --dport 80 -j MARK --set-mark 2

A suggestion: remove "-o eth0" from the above.

> echo 202 www.out >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table www.out
> ip route add default via router2 dev eth0 table www.out
> 
> It looks like the packets go through the right chain under iptables and get
> marked, however after that they still don't get forwarded via router2 but
> router1. What could be wrong in this config and is this possible to achieve
> at all with the above configuration?
> 
> Regards
> 
> L.Malinov
> 

RE: IPTABLES + IPROUTE2

[L.Malinov]

Hi there,

I did try to remove "-o eth0" already but the result is still the same. Any
other possible suggestions?

-----Original Message-----
From: Ramin Dousti [mailto:ramin@cannon.eng.us.uu.net]
Sent: 24 January 2004 03:05
To: L.Malinov
Cc: netfilter@lists.netfilter.org
Subject: Re: IPTABLES + IPROUTE2


On Fri, Jan 23, 2004 at 01:44:38PM +0200, L.Malinov wrote:

> Hi there,
>
> I have the following configuration: Local Net with Linux RedHat 9.0 Squid
> proxy server (with one net card) and 2 gateways - router1 and router2. The
> default gateway for everyone including the proxy is router1. I'd like, the
> http request from the local net sent to the proxy to be forwarded to the
> Internet via router2. I'm trying the following configuration:
>
> iptables -A OUTPUT -o eth0 -t mangle -p tcp --dport 80 -j MARK --set-mark
2

A suggestion: remove "-o eth0" from the above.

> echo 202 www.out >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table www.out
> ip route add default via router2 dev eth0 table www.out
>
> It looks like the packets go through the right chain under iptables and
get
> marked, however after that they still don't get forwarded via router2 but
> router1. What could be wrong in this config and is this possible to
achieve
> at all with the above configuration?
>
> Regards
>
> L.Malinov
>

Re: IPTABLES + IPROUTE2

[Klemen Kecman]

$IPT -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 53 -j
DNAT --to-destination xxx.xxx.xxx.xxx:53
It will forward the packet as it is to the destination ip and port. If u
have to change the packet what so ever then mangle it.

Klemen Kecman

----- Original Message -----
From: "L.Malinov" <lucho@galix.com>
To: <netfilter@lists.netfilter.org>
Sent: Friday, January 23, 2004 12:44 PM
Subject: IPTABLES + IPROUTE2


> Hi there,
>
> I have the following configuration: Local Net with Linux RedHat 9.0 Squid
> proxy server (with one net card) and 2 gateways - router1 and router2. The
> default gateway for everyone including the proxy is router1. I'd like, the
> http request from the local net sent to the proxy to be forwarded to the
> Internet via router2. I'm trying the following configuration:
>
> iptables -A OUTPUT -o eth0 -t mangle -p tcp --dport 80 -j MARK --set-mark
2
> echo 202 www.out >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table www.out
> ip route add default via router2 dev eth0 table www.out
>
> It looks like the packets go through the right chain under iptables and
get
> marked, however after that they still don't get forwarded via router2 but
> router1. What could be wrong in this config and is this possible to
achieve
> at all with the above configuration?
>
> Regards
>
> L.Malinov
>
>