iptables and iproute

iptables and iproute

[Antonio Alvarez]

Hello every body!

I have a machine with 4 ethernet interfaces, 3 directly connected to
ADSL lines a the another one to a LAN.

I have 3 routing tables with iproute ( each one with his default gw for
each ADSL line )

I don't have problems with packet traversing my linux machine ( mangle
the packet in the PREROUTING chain ) to routing.

The problem is how can i control the packet localy generated( ip and
port )???  
i can't mangle this packet before routing :-/

for example a need to use ssh server in the linux machine using ADSL 1 
but when the machime aswer me use the ADSL 3 ( because this is the
default gw in the main routing table :-( ... 

In sumarize it's possible to use different routing tables with packet
generated localy??


Thanks in advance ...

Antonio Alvarez

Re: iptables and iproute

[Cedric Blancher]

Le lun 26/04/2004 à 09:20, Antonio Alvarez a écrit :
> The problem is how can i control the packet localy generated( ip and
> port )???  
> i can't mangle this packet before routing :-/

You can mangle them in OUTPUT chain...

> In sumarize it's possible to use different routing tables with packet
> generated localy??

Yes.
One solution, amoung others : mark them in OUTPUT and route against
nfmark.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: iptables and iproute

[John A. Sullivan III]

On Mon, 2004-04-26 at 03:20, Antonio Alvarez wrote:
> Hello every body!
> 
> I have a machine with 4 ethernet interfaces, 3 directly connected to
> ADSL lines a the another one to a LAN.
> 
> I have 3 routing tables with iproute ( each one with his default gw for
> each ADSL line )
> 
> I don't have problems with packet traversing my linux machine ( mangle
> the packet in the PREROUTING chain ) to routing.
> 
> The problem is how can i control the packet localy generated( ip and
> port )???  
> i can't mangle this packet before routing :-/
> 
> for example a need to use ssh server in the linux machine using ADSL 1 
> but when the machime aswer me use the ADSL 3 ( because this is the
> default gw in the main routing table :-( ... 
> 
> In sumarize it's possible to use different routing tables with packet
> generated localy??
<snip>
I don't recall the syntax off the top of my head but isn't it possible
to create a iproute2 rule where iif = lo to route locally generated
packets.  I believe that's how we do it in the ISCS project. You can
check the ISCS training docs at http://iscs.sourceforge.net - John
-- 
Open Source Development Corporation
Financially Sustainable open source development
http://www.opensourcedevelopmentcorp.com

Re: iptables and iproute

[Antonio Alvarez]

El lun, 26-04-2004 a las 08:51, Cedric Blancher escribió:
> Le lun 26/04/2004 à 09:20, Antonio Alvarez a écrit :
> > The problem is how can i control the packet localy generated( ip and
> > port )???  
> > i can't mangle this packet before routing :-/
> 
> You can mangle them in OUTPUT chain...
Uhm.... not sure. you can mangle the packet but when the packet go
output the packet was routed :-( 

> 
> > In sumarize it's possible to use different routing tables with packet
> > generated localy??
> 
> Yes.
> One solution, amoung others : mark them in OUTPUT and route against
> nfmark.

Re: iptables and iproute

[Antonio Alvarez]

El lun, 26-04-2004 a las 08:55, John A. Sullivan III escribió:
> On Mon, 2004-04-26 at 03:20, Antonio Alvarez wrote:
> > Hello every body!
> > 
> > I have a machine with 4 ethernet interfaces, 3 directly connected to
> > ADSL lines a the another one to a LAN.
> > 
> > I have 3 routing tables with iproute ( each one with his default gw for
> > each ADSL line )
> > 
> > I don't have problems with packet traversing my linux machine ( mangle
> > the packet in the PREROUTING chain ) to routing.
> > 
> > The problem is how can i control the packet localy generated( ip and
> > port )???  
> > i can't mangle this packet before routing :-/
> > 
> > for example a need to use ssh server in the linux machine using ADSL 1 
> > but when the machime aswer me use the ADSL 3 ( because this is the
> > default gw in the main routing table :-( ... 
> > 
> > In sumarize it's possible to use different routing tables with packet
> > generated localy??
> <snip>
> I don't recall the syntax off the top of my head but isn't it possible
> to create a iproute2 rule where iif = lo to route locally generated
> packets.  I believe that's how we do it in the ISCS project. You can
> check the ISCS training docs at http://iscs.sourceforge.net - John

Ok, Iam looking for in the web.

Thanks

Re: iptables and iproute

[Cedric Blancher]

Le lun 26/04/2004 à 10:08, Antonio Alvarez a écrit :
> > You can mangle them in OUTPUT chain...
> Uhm.... not sure. you can mangle the packet but when the packet go
> output the packet was routed :-(

Not quite, there's a second round for altered packets ;)
One routing process is called for packet building, in order to determine
to which interface it will get sent, and so source address given. If
packet is altered in OUTPUT chain, then it will get routed again so it
keeps consistant with routing table.

What I've just tested :

root@anduril:~# echo 200 test >> /etc/iproute2/rt_tables
root@anduril:~# ip rule add fwmark 2 table test
root@anduril:~# ip route add default via 192.168.1.123 dev eth1 \
			table test
root@anduril:~# ip route flush cache

Then for Netfilter :

root@anduril:~# iptables -t nat -A OUTPUT -d 192.168.11.0/24 \
			-j MARK --set-mark 2

My configuration is eth0 to usual network with default route, and eth1
to 192.168.1.1/24. If I ping 192.168.11.1, packets are rerouted to new
gateway, using correct interface :

root@anduril:~# tcpdump -i eth1
tcpdump: listening on eth1
10:50:21.917025 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
10:50:22.916930 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
10:50:23.916850 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
10:50:24.916769 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)

So things are OK, except for source address that is eth0's one. So, I
just have to add a SNAT rule to make things OK :

root@anduril:~# iptables -t nat -A POSTROUTING -o eth1 \
			-j SNAT --to 192.168.1.1

And then :

root@anduril:~# tcpdump -i eth1
tcpdump: listening on eth1
10:58:09.046686 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
10:58:10.045704 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
10:58:11.045624 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
10:58:12.045546 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)

So it should work with your setting as well.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: iptables and iproute

[Antonio Alvarez]

El lun, 26-04-2004 a las 09:59, Cedric Blancher escribió:
> Le lun 26/04/2004 à 10:08, Antonio Alvarez a écrit :
> > > You can mangle them in OUTPUT chain...
> > Uhm.... not sure. you can mangle the packet but when the packet go
> > output the packet was routed :-(
> 
> Not quite, there's a second round for altered packets ;)
> One routing process is called for packet building, in order to determine
> to which interface it will get sent, and so source address given. If
> packet is altered in OUTPUT chain, then it will get routed again so it
> keeps consistant with routing table.

Hey that's fantastic X-)
> 
> What I've just tested :
> 
> root@anduril:~# echo 200 test >> /etc/iproute2/rt_tables
> root@anduril:~# ip rule add fwmark 2 table test
> root@anduril:~# ip route add default via 192.168.1.123 dev eth1 \
> 			table test
> root@anduril:~# ip route flush cache
> 
> Then for Netfilter :
> 
> root@anduril:~# iptables -t nat -A OUTPUT -d 192.168.11.0/24 \
> 			-j MARK --set-mark 2
> 
> My configuration is eth0 to usual network with default route, and eth1
> to 192.168.1.1/24. If I ping 192.168.11.1, packets are rerouted to new
> gateway, using correct interface :
> 
> root@anduril:~# tcpdump -i eth1
> tcpdump: listening on eth1
> 10:50:21.917025 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:22.916930 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:23.916850 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:24.916769 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 
> So things are OK, except for source address that is eth0's one. So, I
> just have to add a SNAT rule to make things OK :
> 
> root@anduril:~# iptables -t nat -A POSTROUTING -o eth1 \
> 			-j SNAT --to 192.168.1.1
> 
> And then :
> 
> root@anduril:~# tcpdump -i eth1
> tcpdump: listening on eth1
> 10:58:09.046686 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:10.045704 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:11.045624 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:12.045546 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 
> So it should work with your setting as well.
> 
Thanks a lots i will try as soon as i can ...

Re: iptables and iproute

[Antonio Alvarez]

El lun, 26-04-2004 a las 09:59, Cedric Blancher escribió:
> Le lun 26/04/2004 à 10:08, Antonio Alvarez a écrit :
> > > You can mangle them in OUTPUT chain...
> > Uhm.... not sure. you can mangle the packet but when the packet go
> > output the packet was routed :-(
> 
> Not quite, there's a second round for altered packets ;)
> One routing process is called for packet building, in order to determine
> to which interface it will get sent, and so source address given. If
> packet is altered in OUTPUT chain, then it will get routed again so it
> keeps consistant with routing table.
> 
It's work perfectly 
tested too... :-)
> What I've just tested :
> 
> root@anduril:~# echo 200 test >> /etc/iproute2/rt_tables
> root@anduril:~# ip rule add fwmark 2 table test
> root@anduril:~# ip route add default via 192.168.1.123 dev eth1 \
> 			table test
> root@anduril:~# ip route flush cache
> 
> Then for Netfilter :
> 
> root@anduril:~# iptables -t nat -A OUTPUT -d 192.168.11.0/24 \
> 			-j MARK --set-mark 2
> 
> My configuration is eth0 to usual network with default route, and eth1
> to 192.168.1.1/24. If I ping 192.168.11.1, packets are rerouted to new
> gateway, using correct interface :

> 
> root@anduril:~# tcpdump -i eth1
> tcpdump: listening on eth1
> 10:50:21.917025 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:22.916930 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:23.916850 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 10:50:24.916769 192.168.2.45 > 192.168.11.1: icmp: echo request (DF)
> 
> So things are OK, except for source address that is eth0's one. So, I
> just have to add a SNAT rule to make things OK :
> 
> root@anduril:~# iptables -t nat -A POSTROUTING -o eth1 \
> 			-j SNAT --to 192.168.1.1
> 
To solve this problem you can use 
ip route add default via dev eth1 src 192.168.1.1 table test
> And then :
> 
> root@anduril:~# tcpdump -i eth1
> tcpdump: listening on eth1
> 10:58:09.046686 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:10.045704 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:11.045624 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 10:58:12.045546 192.168.1.1 > 192.168.11.2: icmp: echo request (DF)
> 
> So it should work with your setting as well.
> 
Thanks again

Re: iptables and iproute

[Cedric Blancher]

Le lun 26/04/2004 à 18:53, Antonio Alvarez a écrit :
> To solve this problem you can use 
> ip route add default via dev eth1 src 192.168.1.1 table test

Yes, I know, but my box already had the SNAT rule set, and my lazyness
won ;)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!