From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?ISO-8859-1?Q?Fr=E9d=E9ric_Massot?= Date: Wed, 28 Dec 2005 16:01:42 +0000 Subject: [LARTC] Re: Pb routing/fwmark Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Fr=E9d=E9ric Massot wrote: > Hi, >=20 > I have a computer which is used as router/firewall/VPN with four network = > card. One connected on the LAN (br0, 10.0.0.0/24), the three others to=20 > three different ISP, eth0 192.168.1.0/29, eth1 192.168.0.0/24, eth2=20 > 192.168.2.0/29. >=20 > This computer is under Linux 2.6.11 with the Julian Anastasov routes patc= h. >=20 > The configuration by default is to balance the load on the three=20 > interfaces. >=20 > Then, I must route certain service to certain interfaces : >=20 > - LAN to Internet 3389/TCP --> eth2 > - Router to Internet 25/TCP --> eth2 > - LAN to Internet 80/TCP --> eth1 >=20 > I have this routing policy : >=20 > $ ip rule > 0: from all lookup local > 50: from all lookup main > 101: from all fwmark 0xd3d lookup 203 > 103: from all fwmark 0x19 lookup 203 > 104: from all fwmark 0x50 lookup 202 > 201: from 192.168.1.0/29 lookup 201 > 202: from 192.168.0.0/24 lookup 202 > 203: from 192.168.2.0/29 lookup 203 > 222: from all lookup 222 > 32766: from all lookup main > 32767: from all lookup default >=20 > $ ip route list table main > 193.253.176.56 dev eth0 scope link > 81.56.255.222 dev eth1 scope link > 195.6.84.110 dev eth2 scope link > 192.168.2.0/29 dev eth2 proto kernel scope link src 192.168.2.1 > 192.168.1.0/29 dev eth0 proto kernel scope link src 192.168.1.1 > 192.168.254.0/26 dev eth0 scope link > 10.0.0.0/24 dev br0 proto kernel scope link src 10.0.0.3 > 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1 >=20 > $ ip route list table 201 > default via 192.168.1.6 dev eth0 proto static src 192.168.1.1 > prohibit default proto static metric 1 >=20 > $ ip route list table 202 > default via 192.168.0.6 dev eth1 proto static src 192.168.0.1 > prohibit default proto static metric 1 >=20 > $ ip route list table 203 > default via 192.168.2.6 dev eth2 proto static src 192.168.2.1 > prohibit default proto static metric 1 >=20 > $ ip route list table 222 > default proto static > nexthop via 192.168.1.6 dev eth0 weight 1 > nexthop via 192.168.0.6 dev eth1 weight 4 > nexthop via 192.168.2.6 dev eth2 weight 4 >=20 >=20 > And, I mark the paquet with this rule : >=20 > iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark=20 > 3389 > iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25 > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80 >=20 >=20 >=20 > My problem, is that the HTTP is to route to all the interfaces, the SMTP = > seems to be route to the good interface (eth2), and the TSE (3389) is=20 > route to all the interfaces. >=20 > I do not understand which is the problem, can you help me ? >=20 Hi, In my preceding example, I had enabled the connection tracking: iptables -t mangle -A PREROUTING -m state --state ESTABLISHED,RELATED -j=20 ACCEPT iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED,RELATED=20 -j ACCEPT iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT And, I mark the paquet with this rule : iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark 3389 iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25 iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80 That did not run ! :( I disabled the connexion tracking and I modified the rules like this,=20 and that seems to run : iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 3389 -j MARK=20 --set-mark 3389 iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 3389 -j MARK=20 --set-mark 3389 iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 3389 -j MARK=20 --set-mark 3389 iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 3389 -j MARK=20 --set-mark 3389 iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3389 -j MARK=20 --set-mark 3389 iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 3389 -j MARK=20 --set-mark 3389 iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 3389 -j MARK=20 --set-mark 3389 iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 25 -j MARK --set-mark 25 iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 25 -j MARK --set-mark 25 iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 25 -j MARK --set-mark 25 iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 80 -j MARK=20 --set-mark 80 iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 80 -j MARK=20 --set-mark 80 iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 80 -j MARK=20 --set-mark 80 iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark 80 iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j MARK --set-mark 80 iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 80 -j MARK --set-mark 80 iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 80 -j MARK=20 --set-mark 80 Can you say to me if it is the good method? I am astonished to mark the packets on the three output interface. Regards. --=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D | FREDERIC MASSOT | | http://www.juliana-multimedia.com | | mailto:frederic@juliana-multimedia.com | =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=DEbian=3DGNU/Linux=3D _______________________________________________ LARTC mailing list LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc