From: "Frédéric Massot" <frederic@juliana-multimedia.com>
To: lartc@vger.kernel.org
Subject: [LARTC] Pb routing/fwmark
Date: Fri, 23 Dec 2005 11:39:40 +0000 [thread overview]
Message-ID: <dognls$iad$1@sea.gmane.org> (raw)
Hi,
I have a computer which is used as router/firewall/VPN with four network
card. One connected on the LAN (br0, 10.0.0.0/24), the three others to
three different ISP, eth0 192.168.1.0/29, eth1 192.168.0.0/24, eth2
192.168.2.0/29.
This computer is under Linux 2.6.11 with the Julian Anastasov routes patch.
The configuration by default is to balance the load on the three interfaces.
Then, I must route certain service to certain interfaces :
- LAN to Internet 3389/TCP --> eth2
- Router to Internet 25/TCP --> eth2
- LAN to Internet 80/TCP --> eth1
I have this routing policy :
$ ip rule
0: from all lookup local
50: from all lookup main
101: from all fwmark 0xd3d lookup 203
103: from all fwmark 0x19 lookup 203
104: from all fwmark 0x50 lookup 202
201: from 192.168.1.0/29 lookup 201
202: from 192.168.0.0/24 lookup 202
203: from 192.168.2.0/29 lookup 203
222: from all lookup 222
32766: from all lookup main
32767: from all lookup default
$ ip route list table main
193.253.176.56 dev eth0 scope link
81.56.255.222 dev eth1 scope link
195.6.84.110 dev eth2 scope link
192.168.2.0/29 dev eth2 proto kernel scope link src 192.168.2.1
192.168.1.0/29 dev eth0 proto kernel scope link src 192.168.1.1
192.168.254.0/26 dev eth0 scope link
10.0.0.0/24 dev br0 proto kernel scope link src 10.0.0.3
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
$ ip route list table 201
default via 192.168.1.6 dev eth0 proto static src 192.168.1.1
prohibit default proto static metric 1
$ ip route list table 202
default via 192.168.0.6 dev eth1 proto static src 192.168.0.1
prohibit default proto static metric 1
$ ip route list table 203
default via 192.168.2.6 dev eth2 proto static src 192.168.2.1
prohibit default proto static metric 1
$ ip route list table 222
default proto static
nexthop via 192.168.1.6 dev eth0 weight 1
nexthop via 192.168.0.6 dev eth1 weight 4
nexthop via 192.168.2.6 dev eth2 weight 4
And, I mark the paquet with this rule :
iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark 3389
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80
My problem, is that the HTTP is to route to all the interfaces, the SMTP
seems to be route to the good interface (eth2), and the TSE (3389) is
route to all the interfaces.
I do not understand which is the problem, can you help me ?
Regards.
--
=======================
| FREDERIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:frederic@juliana-multimedia.com |
=============Þbian=GNU/Linux=
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
reply other threads:[~2005-12-23 11:39 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='dognls$iad$1@sea.gmane.org' \
--to=frederic@juliana-multimedia.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.