marking/mangling of local packets for altering routes?

marking/mangling of local packets for altering routes?

[Jeff Wiegley]

I'm trying to do to some service based routing using the "ip rule" and 
"ip route"
by marking packets.

I'm confused by: http://www.iptables.info/en/structure-of-iptables.html

For forwarded packets (those generated on another machine, passing through
my router) it is obvious that I can mark all my traffic for routing in 
the mangle
table's PREROUTING chain just like I want to.

But Table 6-2 Source Local host (our own machine) indicates that traffic
generated on the routing machine itself (say you are logged in and want to
SSH to another box) can't be marked for special routing. According to the
table the routing decision for these packets happens before ANY iptables 
table
or chain is consulted.

This is problematic. I have two interfaces
eth0 and eth1 and each has a default route associated with it. I want 
certain
traffic to go out eth0's gateway as the default and the rest of the 
traffic I want
to go out eth1.  But according to Table 6-2 I cannot make such routing 
decisions
for locally generated packets. Only those forwarded from another machine.

That lack of ability to traffic shape local traffic seems unreasonable. 
Is Table 6-2
only taking about 127.0.0.1 (and the IPv6 equivalent) when they are talking
about "Source Local Host"? Or can you really not traffic shape all 
locally generated
outbound traffic?

Thank you.

Re: marking/mangling of local packets for altering routes?

[Bryan Harris]

On May 22, 2013, at 3:30 PM, Jeff Wiegley <jeffw@csun.edu> wrote:

> I'm trying to do to some service based routing using the "ip rule" and "ip route"
> by marking packets.

Is this what you mean?  Sorry if I misunderstood.

echo "2 myGreatTable" >> /etc/iproute2/rt_tables
iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1
ip rule add fwmark 1 table myGreatTable
ip route add default via 192.168.1.1 dev eth1 table myGreatTable

Bryan

Re: marking/mangling of local packets for altering routes?

[Jeff Wiegley]

On 5/22/2013 1:22 PM, Bryan Harris wrote:
> On May 22, 2013, at 3:30 PM, Jeff Wiegley <jeffw@csun.edu> wrote:
>
>> I'm trying to do to some service based routing using the "ip rule" and "ip route"
>> by marking packets.
> Is this what you mean?  Sorry if I misunderstood.
>
> echo "2 myGreatTable" >> /etc/iproute2/rt_tables
> iptables -t mangle -A OUTPUT -p tcp --dport 22 -j MARK --set-mark 1
> ip rule add fwmark 1 table myGreatTable
> ip route add default via 192.168.1.1 dev eth1 table myGreatTable
>
> Bryan
>
>

Yes. that is the sort of thing I am trying to do. My confusion was that 
locally generated
packets would not be subjected to the added rule and route because the 
routing decision
was made before the PREROUTING chain of the mangle table is applied.

However, As Jaff Haran pointed out: In Table 6-2 of 
http://www.iptables.info/en/structure-of-iptables.html
there is a second routing decision that is made after the mangle and nat 
PREROUTING chains have
been processed. I missed that line in all my reading. It guarantees that 
if the locally generated
packets are mangled PREROUTING that another routing decision is made for 
them and they will,
as desired, be affected by the sort of marking and rules/route that you 
have kindly provided.

Thank you!

- Jeff