* CONNTRACK problem
@ 2005-05-31 9:57 rodolphe
0 siblings, 0 replies; 8+ messages in thread
From: rodolphe @ 2005-05-31 9:57 UTC (permalink / raw)
To: netfilter
Hello,
i have two router connected to the internet and i want to divide my tcp
connection between them.
this is my iptables script :
############################################################################
iptables -t mangle -N INTERNET
iptables -t mangle -N INTERNET_ROUTER_1
iptables -t mangle -N INTERNET_ROUTER_2
#le paquet est t'il en direction d'internet
iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j
INTERNET
iptables -t mangle -N INTERNET
iptables -t mangle -A INTERNET -j CONNMARK --restore-mark
# 50 % connection vers router 1
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL
SYN -m random --average 50 -j MARK --set-mark 1
iptables -t mangle -A INTERNET -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 1 -j INTERNET_ROUTER_1
# le reste vers router 2
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL
SYN -j MARK --set-mark 2
iptables -t mangle -A INTERNET -m mark --mark 2 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 2 -j INTERNET_ROUTER_2
iptables -t mangle -A INTERNET -j RETURN
iptables -t mangle -A INTERNET_ROUTER_1 -j ROUTE --gw 10.0.2.200
iptables -t mangle -A INTERNET_ROUTER_2 -j ROUTE --gw 10.0.2.254
############################################################################
it seems that i have a problem with CONNTRACK marking, i don't retreive
the mark to route correctly the packet.
My config is kernel 2.6.11.10 with iptables 1.3.1 and last pom.
Thanks for help
^ permalink raw reply [flat|nested] 8+ messages in thread
* CONNTRACK problem
@ 2005-05-31 10:12 rodolphe
0 siblings, 0 replies; 8+ messages in thread
From: rodolphe @ 2005-05-31 10:12 UTC (permalink / raw)
To: netfilter
Hello,
i have two router connected to the internet and i want to send my tcp
connection between them.
this is my iptables script :
############################################################################
iptables -t mangle -N INTERNET
iptables -t mangle -N INTERNET_ROUTER_1
iptables -t mangle -N INTERNET_ROUTER_2
#le paquet est t'il en direction d'internet
iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j
INTERNET
iptables -t mangle -N INTERNET
iptables -t mangle -A INTERNET -j CONNMARK --restore-mark
# 50 % connection vers router 1
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL
SYN -m random --average 50 -j MARK --set-mark 1
iptables -t mangle -A INTERNET -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 1 -j INTERNET_ROUTER_1
# le reste vers router 2
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL
SYN -j MARK --set-mark 2
iptables -t mangle -A INTERNET -m mark --mark 2 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 2 -j INTERNET_ROUTER_2
iptables -t mangle -A INTERNET -j RETURN
iptables -t mangle -A INTERNET_ROUTER_1 -j ROUTE --gw 10.0.2.200
iptables -t mangle -A INTERNET_ROUTER_2 -j ROUTE --gw 10.0.2.254
############################################################################
it seems that i have a problem with CONNTRACK marking, i don't retreive
the mark to route correctly the packets.
My config is kernel 2.6.11.10 with iptables 1.3.1 and last pom.
Thanks for help
^ permalink raw reply [flat|nested] 8+ messages in thread
* CONNTRACK problem
@ 2005-05-31 11:53 rodolphe
0 siblings, 0 replies; 8+ messages in thread
From: rodolphe @ 2005-05-31 11:53 UTC (permalink / raw)
To: netfilter
Hello,
i have two router connected to the internet and i want to send my tcp
connection between them.
this is my iptables script :
############################################################################
iptables -t mangle -N INTERNET
iptables -t mangle -N INTERNET_ROUTER_1
iptables -t mangle -N INTERNET_ROUTER_2
#le paquet est t'il en direction d'internet
iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j
INTERNET
iptables -t mangle -N INTERNET
iptables -t mangle -A INTERNET -j CONNMARK --restore-mark
# 50 % connection vers router 1
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL
SYN -m random --average 50 -j MARK --set-mark 1
iptables -t mangle -A INTERNET -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 1 -j INTERNET_ROUTER_1
# le reste vers router 2
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL
SYN -j MARK --set-mark 2
iptables -t mangle -A INTERNET -m mark --mark 2 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 2 -j INTERNET_ROUTER_2
iptables -t mangle -A INTERNET -j RETURN
iptables -t mangle -A INTERNET_ROUTER_1 -j ROUTE --gw 10.0.2.200
iptables -t mangle -A INTERNET_ROUTER_2 -j ROUTE --gw 10.0.2.254
############################################################################
it seems that i have a problem with CONNTRACK marking, i don't retreive
the mark to route correctly the packets.
My config is kernel 2.6.11.10 with iptables 1.3.1 and last pom.
Thanks for help
^ permalink raw reply [flat|nested] 8+ messages in thread
* CONNTRACK problem
@ 2005-05-31 12:05 Rodolphe AVERTY
2005-06-01 2:32 ` Jason Opperisano
0 siblings, 1 reply; 8+ messages in thread
From: Rodolphe AVERTY @ 2005-05-31 12:05 UTC (permalink / raw)
To: netfilter
Hello,
i have two router connected to the internet and i want to send my tcp connection between them.
this is my iptables script :
############################################################################
iptables -t mangle -N INTERNET
iptables -t mangle -N INTERNET_ROUTER_1
iptables -t mangle -N INTERNET_ROUTER_2
#le paquet est t'il en direction d'internet
iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j INTERNET
iptables -t mangle -N INTERNET
iptables -t mangle -A INTERNET -j CONNMARK --restore-mark
# 50 % connection vers router 1
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL SYN -m random --average 50 -j MARK --set-mark 1
iptables -t mangle -A INTERNET -m mark --mark 1 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 1 -j INTERNET_ROUTER_1
# le reste vers router 2
iptables -t mangle -A INTERNET -m mark --mark 0 -p TCP --tcp-flags ALL SYN -j MARK --set-mark 2
iptables -t mangle -A INTERNET -m mark --mark 2 -j CONNMARK --save-mark
iptables -t mangle -A INTERNET -m mark --mark 2 -j INTERNET_ROUTER_2
iptables -t mangle -A INTERNET -j RETURN
iptables -t mangle -A INTERNET_ROUTER_1 -j ROUTE --gw 10.0.2.200
iptables -t mangle -A INTERNET_ROUTER_2 -j ROUTE --gw 10.0.2.254
############################################################################
it seems that i have a problem with CONNTRACK marking, i don't retreive the mark to route correctly the packets.
My config is kernel 2.6.11.10 with iptables 1.3.1 and last pom.
Thanks for help
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CONNTRACK problem
2005-05-31 12:05 CONNTRACK problem Rodolphe AVERTY
@ 2005-06-01 2:32 ` Jason Opperisano
0 siblings, 0 replies; 8+ messages in thread
From: Jason Opperisano @ 2005-06-01 2:32 UTC (permalink / raw)
To: netfilter
On Tue, May 31, 2005 at 02:05:17PM +0200, Rodolphe AVERTY wrote:
> Hello,
>
> i have two router connected to the internet and i want to send my tcp connection between them.
>
> this is my iptables script :
>
> ############################################################################
> iptables -t mangle -N INTERNET
> iptables -t mangle -N INTERNET_ROUTER_1
> iptables -t mangle -N INTERNET_ROUTER_2
>
> #le paquet est t'il en direction d'internet
> iptables -o eth2 -t mangle -A POSTROUTING -p tcp -d ! 10.0.0.0/8 -j INTERNET
you are trying to use fwmark's as a key in the routing decision; yet
you are MARK-ing in the mangle POSTROUTING chain, POST meaning "after"
and ROUTING meaning "routing." you'd be better served to place these
rules in the mangle PREROUTING chain; PRE meaning "before" and ROUTING
meaning "routing."
-j
--
"Peter: I only drank so that the Statue Of Liberty would take her
clothes off."
--Family Guy
^ permalink raw reply [flat|nested] 8+ messages in thread
* CONNTRACK problem
@ 2005-06-02 7:40 rodolphe
0 siblings, 0 replies; 8+ messages in thread
From: rodolphe @ 2005-06-02 7:40 UTC (permalink / raw)
To: opie; +Cc: netfilter
I don't use the mark with routing. I use marking to mark new connections
to retreive next packets of the connections and to force routing using
the ROUTE target.
Thank you for ROUTING = routing :-)
really fun
Regards
^ permalink raw reply [flat|nested] 8+ messages in thread
* conntrack problem
@ 2007-03-08 13:29 richard lucassen
2007-03-08 17:59 ` richard lucassen
0 siblings, 1 reply; 8+ messages in thread
From: richard lucassen @ 2007-03-08 13:29 UTC (permalink / raw)
To: netfilter
Hello list,
I downloaded and compiled on a Debian Sarge box running a vanilla kernel
2.6.16.43:
libnfnetlink-0.0.16
libnetfilter_conntrack-0.0.31
conntrack-1.00beta2
I read the manpage and even found some syntax examples, but conntrack
exits with an error:
# conntrack -L -p udp --orig-port-dst 1194
Operation failed: invalid parameters
According to an example in the "Changelog" this should work.
Am I missing something crucial? Anyone a hint?
Richard.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: conntrack problem
2007-03-08 13:29 conntrack problem richard lucassen
@ 2007-03-08 17:59 ` richard lucassen
0 siblings, 0 replies; 8+ messages in thread
From: richard lucassen @ 2007-03-08 17:59 UTC (permalink / raw)
To: netfilter
On Thu, 8 Mar 2007 14:29:48 +0100
richard lucassen <mailinglists@lucassen.org> wrote:
> # conntrack -L -p udp --orig-port-dst 1194
> Operation failed: invalid parameters
>
> According to an example in the "Changelog" this should work.
>
> Am I missing something crucial? Anyone a hint?
Forget it. 2.6.20.1 works fine.
--
___________________________________________________________________
It is better to remain silent and be thought a fool, than to speak
aloud and remove all doubt.
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht |
| Public key and email address: |
| http://www.lucassen.org/mail-pubkey.html |
+------------------------------------------------------------------+
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2007-03-08 17:59 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-06-02 7:40 CONNTRACK problem rodolphe
-- strict thread matches above, loose matches on Subject: below --
2007-03-08 13:29 conntrack problem richard lucassen
2007-03-08 17:59 ` richard lucassen
2005-05-31 12:05 CONNTRACK problem Rodolphe AVERTY
2005-06-01 2:32 ` Jason Opperisano
2005-05-31 11:53 rodolphe
2005-05-31 10:12 rodolphe
2005-05-31 9:57 rodolphe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.