Re: Changing default route causes packet drop

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: John Meissen <john@meissen.org>
Cc: netfilter@vger.kernel.org
Subject: Re: Changing default route causes packet drop
Date: Mon, 05 Jul 2010 12:06:11 +0200	[thread overview]
Message-ID: <4C31AE93.70309@freemail.hu> (raw)
In-Reply-To: <20100705090326.BF7B134502@john>

Hi John,

1. Set up multiple routing tables.

a.) I have the following in my /etc/iproute2/rt_tables: [cat 
/etc/iproute/rt_tables]

#
# reserved values
#
255    local
254    main
253    default
0    unspec
#
# local
#
#1    inr.ruhep
201    PPP2
200    PPP1


b.) I have a route setup script: [cat /etc/network/routes]

#!/bin/bash

WAN1_IF='ppp1'
WAN1_TB='PPP1'
WAN1_MARK='1'
WAN1_IP=`ip addr show dev $WAN1_IF | grep 'inet ' | awk '{print $2}' | 
awk 'BEGIN{FS="/"}{print $1}'`
WAN1_GW=`ip addr show dev $WAN1_IF | grep 'inet ' | awk '{print $4}' | 
awk 'BEGIN{FS="/"}{print $1}'`

WAN2_IF='ppp2'
WAN2_TB='PPP2'
WAN2_MARK='2'
WAN2_IP=`ip addr show dev $WAN2_IF | grep 'inet ' | awk '{print $2}' | 
awk 'BEGIN{FS="/"}{print $1}'`
WAN2_GW=`ip addr show dev $WAN2_IF | grep 'inet ' | awk '{print $4}' | 
awk 'BEGIN{FS="/"}{print $1}'`

ip route flush table $WAN1_TB
ip route flush table $WAN2_TB

test ! "$WAN1_IP" == "" && ip route add table $WAN1_TB dev $WAN1_IF 
default via $WAN1_GW src $WAN1_IP
test ! "$WAN2_IP" == "" && ip route add table $WAN2_TB dev $WAN2_IF 
default via $WAN2_GW src $WAN2_IP

for prio in `ip rule show | grep $WAN1_TB | awk 'BEGIN{FS=":"}{print $1}'`
  do
  ip rule del prio $prio
  done
for prio in `ip rule show | grep $WAN2_TB | awk 'BEGIN{FS=":"}{print $1}'`
  do
  ip rule del prio $prio
  done

test ! "$WAN2_IP" == "" && ip rule add fwmark $WAN1_MARK table $WAN1_TB
test ! "$WAN2_IP" == "" && ip rule add fwmark $WAN2_MARK table $WAN2_TB

test ! "$WAN1_IP" == "" && ip rule add from $WAN1_IP table $WAN1_TB
test ! "$WAN2_IP" == "" && ip rule add from $WAN2_IP table $WAN2_TB

test -e /proc/sys/net/ipv4/conf/$WAN1_IF/rp_filter && echo '0' 
 >/proc/sys/net/ipv4/conf/$WAN1_IF/rp_filter
test -e /proc/sys/net/ipv4/conf/$WAN2_IF/rp_filter && echo '0' 
 >/proc/sys/net/ipv4/conf/$WAN2_IF/rp_filter

ip route del default
ip route add default dev $WAN1_IF scope link

ip route flush cache

exit 0

c.) Call this script whenever a WAN interface is coming up.

In my /etc/interfaces:

auto adsl1
iface adsl1 inet ppp
    provider PPP1
    up /bin/sleep 10
    up /etc/network/routes

auto adsl2
iface adsl2 inet ppp
    provider PPP2
    up /bin/sleep 10
    up /etc/network/routes

2. Do the Netfilter/Iptables part:

Mark the outgoing packets in the mangle table's POSTROUTING chain with 
WAN1_MARK or WAN2_MARK:
iptables -t mangle -A POSTROUTING -j MARK --set-mark 1 .... (your 
matching criteria for WAN1....)
iptables -t mangle -A POSTROUTING -j MARK --set-mark 2 .... (your 
matching criteria for WAN2....)


Hope I could help:

  Swifty

2010-07-05 11:03 keltezéssel, John Meissen írta:
> I'm not sure if this is the right place to ask, or if it's even the right
> question. Hopefully someone can point me in the right direction.
>
> I had a traditional setup with two ethernet interfaces on my Linux box
> (WAN=eth0/LAN=eth1), and NATing the traffic that was forwarded between them.
>
> I added another interface (eth2), and simply want to change the default
> routing to go through it. I'm leaving various services listening on all
> interfaces.
>
> If I change the default route to use eth2, I can route from the internal
> network to the outside just fine, and I can connect from the internal net
> to services on the system fine. But incoming connections on the original
> WAN (eth0) don't complete. They hang at SYN_RECV, as if I had a DROP rule.
>
> I.e., what used to be
>
>    internal<->  (eth1) gateway forward (eth0)<->  WAN
>    internal<->  (eth1) gateway local service
>                  gateway local service (eth0)<->  WAN
> is now
>
>    internal<->  (eth1) gateway forward (eth2)<->  WAN
>    internal<->  (eth1) gateway local service
>
> but
>                  gateway local service (eth0)<->  WAN
>
> now drops connection attempts.
>
> I don't see what difference there should be between eth0 and eth1, except
> that eth0 isn't forwarded. That shouldn't affect connections to processes
> listening on that interface.
>
> I've tried to keep the iptables config simple for this. The only change I'm
> making is changing the default route with the 'route' command.
>
> # iptables -L -v -n
> Chain INPUT (policy ACCEPT 63555 packets, 73M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>     11  3626 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          udp spt:68 dpt:67
>      0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          tcp spt:68 dpt:67
>      0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          udp spt:67 dpt:68
>      0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          tcp spt:67 dpt:68
>   1937  127K ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          udp dpt:53
>      0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          tcp dpt:53
>
> Chain FORWARD (policy ACCEPT 39362 packets, 42M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
> 31533 2844K ACCEPT     all  --  *      *       192.168.10.0/24      0.0.0.0/0
>
>
> Chain OUTPUT (policy ACCEPT 42150 packets, 5745K bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>
> and
>
> # iptables -t nat -L -v -n
> Chain PREROUTING (policy ACCEPT 859K packets, 57M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>
> Chain POSTROUTING (policy ACCEPT 584K packets, 46M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>   755K   72M MASQUERADE  all  --  *      *       192.168.10.0/24      0.0.0.0/0
>
>
> Chain OUTPUT (policy ACCEPT 1015K packets, 100M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>

next prev parent reply	other threads:[~2010-07-05 10:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-05  9:03 Changing default route causes packet drop John Meissen
2010-07-05 10:06 ` Gáspár Lajos [this message]
2010-07-07 14:23 ` Pascal Hambourg
2010-07-07 16:35   ` John Meissen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C31AE93.70309@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=john@meissen.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.