[LARTC] Re: Pb routing/fwmark

From: "Frédéric Massot" <frederic@juliana-multimedia.com>
To: lartc@vger.kernel.org
Subject: [LARTC] Re: Pb routing/fwmark
Date: Wed, 28 Dec 2005 16:01:42 +0000	[thread overview]
Message-ID: <douct7$76s$1@sea.gmane.org> (raw)

Frédéric Massot wrote:
> Hi,
> 
> I have a computer which is used as router/firewall/VPN with four network 
> card. One connected on the LAN (br0, 10.0.0.0/24), the three others to 
> three different ISP, eth0 192.168.1.0/29, eth1 192.168.0.0/24, eth2 
> 192.168.2.0/29.
> 
> This computer is under Linux 2.6.11 with the Julian Anastasov routes patch.
> 
> The configuration by default is to balance the load on the three 
> interfaces.
> 
> Then, I must route certain service to certain interfaces :
> 
> - LAN to Internet 3389/TCP --> eth2
> - Router to Internet 25/TCP --> eth2
> - LAN to Internet 80/TCP --> eth1
> 
> I have this routing policy :
> 
> $ ip rule
> 0:      from all lookup local
> 50:     from all lookup main
> 101:    from all fwmark 0xd3d lookup 203
> 103:    from all fwmark 0x19 lookup 203
> 104:    from all fwmark 0x50 lookup 202
> 201:    from 192.168.1.0/29 lookup 201
> 202:    from 192.168.0.0/24 lookup 202
> 203:    from 192.168.2.0/29 lookup 203
> 222:    from all lookup 222
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> $ ip route list table main
> 193.253.176.56 dev eth0  scope link
> 81.56.255.222 dev eth1  scope link
> 195.6.84.110 dev eth2  scope link
> 192.168.2.0/29 dev eth2  proto kernel  scope link  src 192.168.2.1
> 192.168.1.0/29 dev eth0  proto kernel  scope link  src 192.168.1.1
> 192.168.254.0/26 dev eth0  scope link
> 10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.3
> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
> 
> $ ip route list table 201
> default via 192.168.1.6 dev eth0  proto static  src 192.168.1.1
> prohibit default  proto static  metric 1
> 
> $ ip route list table 202
> default via 192.168.0.6 dev eth1  proto static  src 192.168.0.1
> prohibit default  proto static  metric 1
> 
> $ ip route list table 203
> default via 192.168.2.6 dev eth2  proto static  src 192.168.2.1
> prohibit default  proto static  metric 1
> 
> $ ip route list table 222
> default  proto static
>         nexthop via 192.168.1.6  dev eth0 weight 1
>         nexthop via 192.168.0.6  dev eth1 weight 4
>         nexthop via 192.168.2.6  dev eth2 weight 4
> 
> 
> And, I mark the paquet with this rule :
> 
> iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark 
> 3389
> iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80
> 
> 
> 
> My problem, is that the HTTP is to route to all the interfaces, the SMTP 
> seems to be route to the good interface (eth2), and the TSE (3389) is 
> route to all the interfaces.
> 
> I do not understand which is the problem, can you help me ?
> 

Hi,

In my preceding example, I had enabled the connection tracking:

iptables -t mangle -A PREROUTING -m state --state ESTABLISHED,RELATED -j 
ACCEPT
iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED,RELATED 
-j ACCEPT
iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

And, I mark the paquet with this rule :

iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark
  3389
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80

That did not run ! :(

I disabled the connexion tracking and I modified the rules like this, 
and that seems to run :

iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 3389 -j MARK 
--set-mark 3389
iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 3389 -j MARK 
--set-mark 3389
iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 3389 -j MARK 
--set-mark 3389

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 3389 -j MARK 
--set-mark 3389
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3389 -j MARK 
--set-mark 3389
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 3389 -j MARK 
--set-mark 3389

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 3389 -j MARK 
--set-mark 3389

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 25 -j MARK --set-mark 25

iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 80 -j MARK 
--set-mark 80
iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 80 -j MARK 
--set-mark 80
iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 80 -j MARK 
--set-mark 80

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 80 -j MARK --set-mark 80

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 80 -j MARK 
--set-mark 80

Can you say to me if it is the good method?

I am astonished to mark the packets on the three output interface.

Regards.
-- 
=======================
|              FREDERIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
=============Þbian=GNU/Linux=
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc