From: Carlo Pires <carlo@uganet.com.br>
To: CJ East <bec365195104@geckomail.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: Multiple routes by uid-owner
Date: Tue, 15 Jul 2003 18:24:11 -0300 [thread overview]
Message-ID: <3F1470FB.2020604@uganet.com.br> (raw)
In-Reply-To: <1058159480.621.5.camel@broken>
CJ East wrote:
>>-----Original Message-----
>>From: " George Vieira " (via GeckoMail)
>>[mailto:return-bec365195104-georgev-.-citadelcomputer.com.au@g
>>eckomail.o
>>rg]
>>Sent: Monday, 14 July 2003 7:54 AM
>>Subject: RE: Multiple routes by uid-owner
>>
>>
>>--------------------------------------------------------------
>>------------
>>This mail was received via GeckoMail.org alias
>>bec365195104@geckomail.org
>>--------------------------------------------------------------
>>------------
>>
>>Can you LOG all dropped packets, are you setting DROP as the
>>default for INPUT?
>>
>>
>
>INPUT's policy is ACCEPT.
>Adding a LOG target to this chain does not shed any light- incoming
>packets visible to tcpdump on the ppp interface *do not* enter the INPUT
>chain.
>
>But it was a good thing to check, so thanks :D
>
>Yeah, owner id info is only available on the machine itself; but that's
>all i need (I'm not forwarding packets or anything)
>
>The problem still stands-- why are correctly addressed incoming packets
>visible to tcpdump but not to netfilter?
>
>
>
>
>
>
>>Thanks,
>>____________________________________________
>>George Vieira
>>Systems Manager
>>georgev@citadelcomputer.com.au
>>
>>Citadel Computer Systems Pty Ltd
>>http://www.citadelcomputer.com.au
>>
>>Phone : +61 2 9955 2644
>>HelpDesk: +61 2 9955 2698
>>
>>
>>-----Original Message-----
>>From: CJ East [mailto:bec365195104@geckomail.org]
>>Sent: Thursday, July 10, 2003 5:45 PM
>>To: netfilter@lists.netfilter.org
>>Subject: Multiple routes by uid-owner
>>
>>
>>Hi,
>>
>>I'm currently trying to test several independent internet links.
>>
>>To do this, I instantiate two or more interfaces, which I aim to allow
>>to route packets as though two separate machines were each
>>independently
>>connected to the internet, and independently downloading some
>>file using
>>http.
>>
>>- I run wget http://www.google.com with uid=500
>>- I run wget http://www.google.com with uid=501
>>
>>- I set up using iptables;
>>chain OUTPUT
>> MARK all -- anywhere anywhere OWNER UID match 500 MARK set 0x1
>> MARK all -- anywhere anywhere OWNER UID match 501 MARK set 0x2
>>
>>
>>- I set up using ip;
>>
>>ip rule add fwmark 1 table link1
>>ip rule add fwmark 2 table link2
>>ip route add default dev ppp0 table link1
>>ip route add default dev ppp1 table link2
>>
>>- This all works more-or-less correctly.
>>Now, running wget and tcpdump reveals a DNS lookup going out on the
>>correct interface, depending of course which userid is running.
>>
>>Notably, the SOURCE address isn't that of the PPP interface, it's of
>>another (ethernet) interface in the machine. Now, for profiling the
>>connection, this is clearly unacceptable (Packets need to come back on
>>the interface they were sent!) Now, IIUC, an application can bind to
>>any given source address-- but this is a bad idea in my case, since it
>>requires each application be aware of its environment-- fine
>>if my test
>>is ALWAYS wget (since I have the source), but bad generally.
>>
>>So, I've turned to SNAT, which I'm abusing to switch the source IP
>>address to that of the ppp interface on the way out.
>>
>>A la,
>>
>>iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source x.x.x.x
>>
>>This certainly fixes the issue of errant source address, but now, a
>>totally different problem..... Packets coming IN off the ppp interface
>>(now bearing the correct address) don't appear to make it to the
>>application! :(
>>
>>I had no idea what was going on, but suffice to say started messing
>>around with the PREROUTING table enough to notice that these returning
>>packets don't seem to traverse that hook either; they must be dropped
>>somewhere in the kernel, however I'm not sure where or why.
>>I had been
>>thinking that a corresponding DNAT rule (as crude as it must sound)
>>would be a quick-and-dirty solution, but since the packets don't enter
>>that chain.. Well, it's a non-starter :(
>>
>>Why are the packets dropped? The requests are sent out over the same
>>interface on which they are received (Which is a noted caveat for
>>netfilter).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
I only get to do something like that with CONNMARK patch. With this
patch the packet returns through the right route.
-Carlo
next prev parent reply other threads:[~2003-07-15 21:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-14 5:11 Multiple routes by uid-owner CJ East
2003-07-15 21:24 ` Carlo Pires [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-07-11 1:23 CJ East
2003-07-10 7:44 CJ East
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3F1470FB.2020604@uganet.com.br \
--to=carlo@uganet.com.br \
--cc=bec365195104@geckomail.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.