CONNTRACK problem

All of lore.kernel.org
 help / color / mirror / Atom feed

* CONNTRACK problem
@ 2005-05-31 11:53 rodolphe
  0 siblings, 0 replies; 8+ messages in thread
From: rodolphe @ 2005-05-31 11:53 UTC (permalink / raw)
  To: netfilter

Hello,

i have two router connected to the internet and i want to send my tcp 
connection between them.

this is my iptables script :

############################################################################ 

iptables -t mangle -N INTERNET
iptables -t mangle -N INTERNET_ROUTER_1
iptables -t mangle -N INTERNET_ROUTER_2

#le paquet est t'il en direction d'internet
iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j 
INTERNET

iptables -t mangle -N INTERNET
iptables -t mangle -A INTERNET -j CONNMARK --restore-mark

# 50 % connection vers router 1
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL 
SYN -m random --average 50 -j MARK --set-mark 1
iptables -t mangle -A INTERNET -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 1 -j INTERNET_ROUTER_1

# le reste vers router 2
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL 
SYN -j MARK --set-mark 2
iptables -t mangle -A INTERNET -m mark --mark 2 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 2 -j INTERNET_ROUTER_2

iptables -t mangle -A INTERNET -j RETURN

iptables -t mangle -A INTERNET_ROUTER_1 -j ROUTE --gw 10.0.2.200
iptables -t mangle -A INTERNET_ROUTER_2 -j ROUTE --gw 10.0.2.254
############################################################################ 


it seems that i have a problem with CONNTRACK marking, i don't retreive 
the mark to route correctly the packets.

My config is kernel 2.6.11.10 with iptables 1.3.1 and last pom.

Thanks for help



^ permalink raw reply	[flat|nested] 8+ messages in thread

* conntrack problem
@ 2007-03-08 13:29 richard lucassen
  2007-03-08 17:59 ` richard lucassen
  0 siblings, 1 reply; 8+ messages in thread
From: richard lucassen @ 2007-03-08 13:29 UTC (permalink / raw)
  To: netfilter

Hello list,

I downloaded and compiled on a Debian Sarge box running a vanilla kernel
2.6.16.43:

libnfnetlink-0.0.16
libnetfilter_conntrack-0.0.31
conntrack-1.00beta2

I read the manpage and even found some syntax examples, but conntrack
exits with an error:

# conntrack -L -p udp --orig-port-dst 1194
Operation failed: invalid parameters

According to an example in the "Changelog" this should work.

Am I missing something crucial? Anyone a hint?

Richard.

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+


^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: conntrack problem
  2007-03-08 13:29 conntrack problem richard lucassen
@ 2007-03-08 17:59 ` richard lucassen
  0 siblings, 0 replies; 8+ messages in thread
From: richard lucassen @ 2007-03-08 17:59 UTC (permalink / raw)
  To: netfilter

On Thu, 8 Mar 2007 14:29:48 +0100
richard lucassen <mailinglists@lucassen.org> wrote:

> # conntrack -L -p udp --orig-port-dst 1194
> Operation failed: invalid parameters
> 
> According to an example in the "Changelog" this should work.
> 
> Am I missing something crucial? Anyone a hint?

Forget it. 2.6.20.1 works fine.

-- 
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.

+------------------------------------------------------------------+
| Richard Lucassen, Utrecht                                        |
| Public key and email address:                                    |
| http://www.lucassen.org/mail-pubkey.html                         |
+------------------------------------------------------------------+


^ permalink raw reply	[flat|nested] 8+ messages in thread

* CONNTRACK problem
@ 2005-06-02  7:40 rodolphe
  0 siblings, 0 replies; 8+ messages in thread
From: rodolphe @ 2005-06-02  7:40 UTC (permalink / raw)
  To: opie; +Cc: netfilter

I don't use the mark with routing. I use marking to mark new connections 
to retreive next packets of the connections and to force routing using 
the ROUTE target.

Thank you for ROUTING = routing :-)    
really fun

Regards

^ permalink raw reply	[flat|nested] 8+ messages in thread

* CONNTRACK problem
@ 2005-05-31 12:05 Rodolphe AVERTY
  2005-06-01  2:32 ` Jason Opperisano
  0 siblings, 1 reply; 8+ messages in thread
From: Rodolphe AVERTY @ 2005-05-31 12:05 UTC (permalink / raw)
  To: netfilter

Hello,

i have two router connected to the internet and i want to send my tcp connection between them.

this is my iptables script :

############################################################################
iptables -t mangle -N INTERNET
iptables -t mangle -N INTERNET_ROUTER_1
iptables -t mangle -N INTERNET_ROUTER_2

#le paquet est t'il en direction d'internet
iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j INTERNET

iptables -t mangle -N INTERNET
iptables -t mangle -A INTERNET -j CONNMARK --restore-mark

# 50 % connection vers router 1
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL SYN -m random --average 50 -j MARK --set-mark 1
iptables -t mangle -A INTERNET -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 1 -j INTERNET_ROUTER_1

# le reste vers router 2
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL SYN -j MARK --set-mark 2
iptables -t mangle -A INTERNET -m mark --mark 2 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 2 -j INTERNET_ROUTER_2

iptables -t mangle -A INTERNET -j RETURN

iptables -t mangle -A INTERNET_ROUTER_1 -j ROUTE --gw 10.0.2.200
iptables -t mangle -A INTERNET_ROUTER_2 -j ROUTE --gw 10.0.2.254
############################################################################

it seems that i have a problem with CONNTRACK marking, i don't retreive the mark to route correctly the packets.

My config is kernel 2.6.11.10 with iptables 1.3.1 and last pom.

Thanks for help





^ permalink raw reply	[flat|nested] 8+ messages in thread

* Re: CONNTRACK problem
  2005-05-31 12:05 Rodolphe AVERTY
@ 2005-06-01  2:32 ` Jason Opperisano
  0 siblings, 0 replies; 8+ messages in thread
From: Jason Opperisano @ 2005-06-01  2:32 UTC (permalink / raw)
  To: netfilter

On Tue, May 31, 2005 at 02:05:17PM +0200, Rodolphe AVERTY wrote:
> Hello,
> 
> i have two router connected to the internet and i want to send my tcp connection between them.
> 
> this is my iptables script :
> 
> ############################################################################
> iptables -t mangle -N INTERNET
> iptables -t mangle -N INTERNET_ROUTER_1
> iptables -t mangle -N INTERNET_ROUTER_2
> 
> #le paquet est t'il en direction d'internet
> iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j INTERNET

you are trying to use fwmark's as a key in the routing decision; yet
you are MARK-ing in the mangle POSTROUTING chain, POST meaning "after"
and ROUTING meaning "routing."  you'd be better served to place these
rules in the mangle PREROUTING chain; PRE meaning "before" and ROUTING
meaning "routing."

-j

--
"Peter: I only drank so that the Statue Of Liberty would take her
 clothes off."
        --Family Guy


^ permalink raw reply	[flat|nested] 8+ messages in thread

* CONNTRACK problem
@ 2005-05-31 10:12 rodolphe
  0 siblings, 0 replies; 8+ messages in thread
From: rodolphe @ 2005-05-31 10:12 UTC (permalink / raw)
  To: netfilter

Hello,

i have two router connected to the internet and i want to send my tcp 
connection between them.

this is my iptables script :

############################################################################ 

iptables -t mangle -N INTERNET
iptables -t mangle -N INTERNET_ROUTER_1
iptables -t mangle -N INTERNET_ROUTER_2

#le paquet est t'il en direction d'internet
iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j 
INTERNET

iptables -t mangle -N INTERNET
iptables -t mangle -A INTERNET -j CONNMARK --restore-mark

# 50 % connection vers router 1
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL 
SYN -m random --average 50 -j MARK --set-mark 1
iptables -t mangle -A INTERNET -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 1 -j INTERNET_ROUTER_1

# le reste vers router 2
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL 
SYN -j MARK --set-mark 2
iptables -t mangle -A INTERNET -m mark --mark 2 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 2 -j INTERNET_ROUTER_2

iptables -t mangle -A INTERNET -j RETURN

iptables -t mangle -A INTERNET_ROUTER_1 -j ROUTE --gw 10.0.2.200
iptables -t mangle -A INTERNET_ROUTER_2 -j ROUTE --gw 10.0.2.254
############################################################################ 


it seems that i have a problem with CONNTRACK marking, i don't retreive 
the mark to route correctly the packets.

My config is kernel 2.6.11.10 with iptables 1.3.1 and last pom.

Thanks for help



^ permalink raw reply	[flat|nested] 8+ messages in thread

* CONNTRACK problem
@ 2005-05-31  9:57 rodolphe
  0 siblings, 0 replies; 8+ messages in thread
From: rodolphe @ 2005-05-31  9:57 UTC (permalink / raw)
  To: netfilter

Hello,

i have two router connected to the internet and i want to divide my tcp 
connection between them.

this is my iptables script :

############################################################################ 

iptables -t mangle -N INTERNET
iptables -t mangle -N INTERNET_ROUTER_1
iptables -t mangle -N INTERNET_ROUTER_2

#le paquet est t'il en direction d'internet
iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j 
INTERNET

iptables -t mangle -N INTERNET
iptables -t mangle -A INTERNET -j CONNMARK --restore-mark

# 50 % connection vers router 1
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL 
SYN -m random --average 50 -j MARK --set-mark 1
iptables -t mangle -A INTERNET -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 1 -j INTERNET_ROUTER_1

# le reste vers router 2
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL 
SYN -j MARK --set-mark 2
iptables -t mangle -A INTERNET -m mark --mark 2 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 2 -j INTERNET_ROUTER_2

iptables -t mangle -A INTERNET -j RETURN

iptables -t mangle -A INTERNET_ROUTER_1 -j ROUTE --gw 10.0.2.200
iptables -t mangle -A INTERNET_ROUTER_2 -j ROUTE --gw 10.0.2.254
############################################################################ 


it seems that i have a problem with CONNTRACK marking, i don't retreive 
the mark to route correctly the packet.

My config is kernel 2.6.11.10 with iptables 1.3.1 and last pom.

Thanks for help



^ permalink raw reply	[flat|nested] 8+ messages in thread

end of thread, other threads:[~2007-03-08 17:59 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-31 11:53 CONNTRACK problem rodolphe
  -- strict thread matches above, loose matches on Subject: below --
2007-03-08 13:29 conntrack problem richard lucassen
2007-03-08 17:59 ` richard lucassen
2005-06-02  7:40 CONNTRACK problem rodolphe
2005-05-31 12:05 Rodolphe AVERTY
2005-06-01  2:32 ` Jason Opperisano
2005-05-31 10:12 rodolphe
2005-05-31  9:57 rodolphe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.