All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Re: Pb routing/fwmark
@ 2005-12-28 16:01 Frédéric Massot
  2005-12-28 16:43 ` Jody Shumaker
  2005-12-29 17:39 ` Frédéric Massot
  0 siblings, 2 replies; 3+ messages in thread
From: Frédéric Massot @ 2005-12-28 16:01 UTC (permalink / raw)
  To: lartc

Frédéric Massot wrote:
> Hi,
> 
> I have a computer which is used as router/firewall/VPN with four network 
> card. One connected on the LAN (br0, 10.0.0.0/24), the three others to 
> three different ISP, eth0 192.168.1.0/29, eth1 192.168.0.0/24, eth2 
> 192.168.2.0/29.
> 
> This computer is under Linux 2.6.11 with the Julian Anastasov routes patch.
> 
> The configuration by default is to balance the load on the three 
> interfaces.
> 
> Then, I must route certain service to certain interfaces :
> 
> - LAN to Internet 3389/TCP --> eth2
> - Router to Internet 25/TCP --> eth2
> - LAN to Internet 80/TCP --> eth1
> 
> I have this routing policy :
> 
> $ ip rule
> 0:      from all lookup local
> 50:     from all lookup main
> 101:    from all fwmark 0xd3d lookup 203
> 103:    from all fwmark 0x19 lookup 203
> 104:    from all fwmark 0x50 lookup 202
> 201:    from 192.168.1.0/29 lookup 201
> 202:    from 192.168.0.0/24 lookup 202
> 203:    from 192.168.2.0/29 lookup 203
> 222:    from all lookup 222
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> $ ip route list table main
> 193.253.176.56 dev eth0  scope link
> 81.56.255.222 dev eth1  scope link
> 195.6.84.110 dev eth2  scope link
> 192.168.2.0/29 dev eth2  proto kernel  scope link  src 192.168.2.1
> 192.168.1.0/29 dev eth0  proto kernel  scope link  src 192.168.1.1
> 192.168.254.0/26 dev eth0  scope link
> 10.0.0.0/24 dev br0  proto kernel  scope link  src 10.0.0.3
> 192.168.0.0/24 dev eth1  proto kernel  scope link  src 192.168.0.1
> 
> $ ip route list table 201
> default via 192.168.1.6 dev eth0  proto static  src 192.168.1.1
> prohibit default  proto static  metric 1
> 
> $ ip route list table 202
> default via 192.168.0.6 dev eth1  proto static  src 192.168.0.1
> prohibit default  proto static  metric 1
> 
> $ ip route list table 203
> default via 192.168.2.6 dev eth2  proto static  src 192.168.2.1
> prohibit default  proto static  metric 1
> 
> $ ip route list table 222
> default  proto static
>         nexthop via 192.168.1.6  dev eth0 weight 1
>         nexthop via 192.168.0.6  dev eth1 weight 4
>         nexthop via 192.168.2.6  dev eth2 weight 4
> 
> 
> And, I mark the paquet with this rule :
> 
> iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark 
> 3389
> iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80
> 
> 
> 
> My problem, is that the HTTP is to route to all the interfaces, the SMTP 
> seems to be route to the good interface (eth2), and the TSE (3389) is 
> route to all the interfaces.
> 
> I do not understand which is the problem, can you help me ?
> 

Hi,

In my preceding example, I had enabled the connection tracking:

iptables -t mangle -A PREROUTING -m state --state ESTABLISHED,RELATED -j 
ACCEPT
iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED,RELATED 
-j ACCEPT
iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

And, I mark the paquet with this rule :

iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark
  3389
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80

That did not run ! :(

I disabled the connexion tracking and I modified the rules like this, 
and that seems to run :

iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 3389 -j MARK 
--set-mark 3389
iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 3389 -j MARK 
--set-mark 3389
iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 3389 -j MARK 
--set-mark 3389

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 3389 -j MARK 
--set-mark 3389
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3389 -j MARK 
--set-mark 3389
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 3389 -j MARK 
--set-mark 3389

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 3389 -j MARK 
--set-mark 3389

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 25 -j MARK --set-mark 25

iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 80 -j MARK 
--set-mark 80
iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 80 -j MARK 
--set-mark 80
iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 80 -j MARK 
--set-mark 80

iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 80 -j MARK --set-mark 80

iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 80 -j MARK 
--set-mark 80


Can you say to me if it is the good method?

I am astonished to mark the packets on the three output interface.

Regards.
-- 
=======================
|              FREDERIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
=============Þbian=GNU/Linux=
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [LARTC] Re: Pb routing/fwmark
  2005-12-28 16:01 [LARTC] Re: Pb routing/fwmark Frédéric Massot
@ 2005-12-28 16:43 ` Jody Shumaker
  2005-12-29 17:39 ` Frédéric Massot
  1 sibling, 0 replies; 3+ messages in thread
From: Jody Shumaker @ 2005-12-28 16:43 UTC (permalink / raw)
  To: lartc


[-- Attachment #1.1: Type: text/plain, Size: 1636 bytes --]

>
> In my preceding example, I had enabled the connection tracking:
>
> iptables -t mangle -A PREROUTING -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT


This was definately your problem.  How is this "connection tracking" ? all
these rules say is, if the state matches established or related, then accept
it.  When that happens, no further processing is done.  You basically made
all packets for previously established or related connections not get marked
as they left the chain before the mark targets. Running :
iptables -t mangle -L -xvn
Would have likely shown hardly any hits to the set mark rules, and the
majority of the packets hitting those above 5 rules.

And, I mark the paquet with this rule :
>
> iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark
>   3389
> iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80
>
> That did not run ! :(


<snip>

Can you say to me if it is the good method?
>
> I am astonished to mark the packets on the three output interface.


I only think you needed to either remove those -j ACCEPT targets, optionally
change it so they are at the end of the chain, or atleast after the -j MARK
targets.

- Jody

[-- Attachment #1.2: Type: text/html, Size: 2174 bytes --]

[-- Attachment #2: Type: text/plain, Size: 143 bytes --]

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [LARTC] Re: Pb routing/fwmark
  2005-12-28 16:01 [LARTC] Re: Pb routing/fwmark Frédéric Massot
  2005-12-28 16:43 ` Jody Shumaker
@ 2005-12-29 17:39 ` Frédéric Massot
  1 sibling, 0 replies; 3+ messages in thread
From: Frédéric Massot @ 2005-12-29 17:39 UTC (permalink / raw)
  To: lartc

Jody Shumaker wrote:
> 
[...]
> 
> This was definately your problem.  How is this "connection tracking" ? 
> all these rules say is, if the state matches established or related, 
> then accept it.  When that happens, no further processing is done.  You 
> basically made all packets for previously established or related 
> connections not get marked as they left the chain before the mark 
> targets. Running :
> iptables -t mangle -L -xvn
> Would have likely shown hardly any hits to the set mark rules, and the 
> majority of the packets hitting those above 5 rules.
> 
[...]
> 
> I only think you needed to either remove those -j ACCEPT targets, 
> optionally change it so they are at the end of the chain, or atleast 
> after the -j MARK targets.
> 

In the general case with several interfaces, how to mark the packets so 
that some use one interface.  I do not know if my configuration is correct.

Regards.
-- 
=======================
|              FREDERIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
=============Þbian=GNU/Linux=
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-12-29 17:39 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-28 16:01 [LARTC] Re: Pb routing/fwmark Frédéric Massot
2005-12-28 16:43 ` Jody Shumaker
2005-12-29 17:39 ` Frédéric Massot

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.