sugestion needed for session marking from different default routres

sugestion needed for session marking from different default routres

[Axel Christiansen]

Hello,

i have a problem, maby one can help me with that.

There is a iptables Box with 2 default routes.
One hat dynamic IP (DSL), the other one owns a
small inet /29 Net. The DSL route should be used,
because of the flatrate on that line. The
filterbox does DNAT to an host behind it on
a private Net for ssh.

Now, ssh from inet on the DSL line works fine. The
Pakets get back the right way by the active default
route. I also want to ssh in over the other interface,
and want the packets back in that line.

I am thinking about marking the incoming packets and
then finding out about the returning packets some how.
If this would work, the routing then can by done by
ip rule (routing).

How could this be done? Is there another solution
for my problem.

thx a lot, Axel

Re: sugestion needed for session marking from different default routres

[Cedric Blancher]

Le mer 01/10/2003 à 12:41, Axel Christiansen a écrit :
[...]
> Now, ssh from inet on the DSL line works fine. The
> Pakets get back the right way by the active default
> route. I also want to ssh in over the other interface,
> and want the packets back in that line.
> I am thinking about marking the incoming packets and
> then finding out about the returning packets some how.
> If this would work, the routing then can by done by
> ip rule (routing).

You must have a look to CONNMARK target and connmark match that stands
in pom extra section :

http://www.netfilter.org/documentation/pomlist/pom-extra.html#CONNMARK

---
This patch adds per connection marks, and a target (CONNMARK)
respective a match (connmark) for using these.

Usage:

   connmark
       This  module  matches  the netfilter mark field associated
       with a connection (which can be  set  using  the  CONNMARK
       target below).

       --mark value[/mask]
              Matches  packets  in  connections  with  the  given
              unsigned mark value (if a mask is  specified,  this
              is logically ANDed with the mark before the compar­
              ison).


   CONNMARK
       This  is  used  to set the netfilter mark value associated
       with the connection

       --set-mark mark
              Set connection mark

       --save-mark
              Set connection mark to the same as the one  on  the
              packet

       --restore-mark
              Set  the  netfilter  packet  mark  value to the one
              associated with the connection. This is only  valid
              in the mangle table.
---

That means you can affect different marks to SSH sessions depending on
what interface they come in. This mark will get restored on replies you
generate for they will get flaged as ESTABLISED by conntrack engine.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: sugestion needed for session marking from different default routres

[Cedric Blancher]

Le mer 01/10/2003 à 12:41, Axel Christiansen a écrit :
> Now, ssh from inet on the DSL line works fine. The
> Pakets get back the right way by the active default
> route. I also want to ssh in over the other interface,
> and want the packets back in that line.

Well, something I missed. Your two interfaces must have different IP ?
So you can set source based routing, as described as example for
advanced routing in LARTC[1].

[1] : http://lartc.org/

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: sugestion needed for session marking from different default routres

[Axel Christiansen]

Cedric Blancher schrieb:

> Le mer 01/10/2003 à 12:41, Axel Christiansen a écrit :
> [...]
> 
>>Now, ssh from inet on the DSL line works fine. The
>>Pakets get back the right way by the active default
>>route. I also want to ssh in over the other interface,
>>and want the packets back in that line.
>>I am thinking about marking the incoming packets and
>>then finding out about the returning packets some how.
>>If this would work, the routing then can by done by
>>ip rule (routing).
> 
> 
> You must have a look to CONNMARK target and connmark match that stands
> in pom extra section :

Great, that will work.

thx, Axel

Re: sugestion needed for session marking from different default routres

[Axel Christiansen]

Cedric Blancher schrieb:

> Le mer 01/10/2003 à 12:41, Axel Christiansen a écrit :
> 
>>Now, ssh from inet on the DSL line works fine. The
>>Pakets get back the right way by the active default
>>route. I also want to ssh in over the other interface,
>>and want the packets back in that line.
> 
> 
> Well, something I missed. Your two interfaces must have different IP ?
> So you can set source based routing, as described as example for
> advanced routing in LARTC[1].

Thats the tning i use now. Can one use "source based routing" also by
protocol and port. I did not had a deeper look in the "ip route"
stuff jet. And i only want selectet sessions, like smtp or ssh
take the alternative route.

G. Axel

Re: sugestion needed for session marking from different default routres

[Cedric Blancher]

Le mer 01/10/2003 à 20:35, Axel Christiansen a écrit :
> Thats the tning i use now. Can one use "source based routing" also by
> protocol and port. I did not had a deeper look in the "ip route"
> stuff jet. And i only want selectet sessions, like smtp or ssh
> take the alternative route.

Then you have to use marks, and see my other post then ;)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE