* [LARTC] Re: Pb routing/fwmark
@ 2005-12-28 16:01 Frédéric Massot
2005-12-28 16:43 ` Jody Shumaker
2005-12-29 17:39 ` Frédéric Massot
0 siblings, 2 replies; 3+ messages in thread
From: Frédéric Massot @ 2005-12-28 16:01 UTC (permalink / raw)
To: lartc
Frédéric Massot wrote:
> Hi,
>
> I have a computer which is used as router/firewall/VPN with four network
> card. One connected on the LAN (br0, 10.0.0.0/24), the three others to
> three different ISP, eth0 192.168.1.0/29, eth1 192.168.0.0/24, eth2
> 192.168.2.0/29.
>
> This computer is under Linux 2.6.11 with the Julian Anastasov routes patch.
>
> The configuration by default is to balance the load on the three
> interfaces.
>
> Then, I must route certain service to certain interfaces :
>
> - LAN to Internet 3389/TCP --> eth2
> - Router to Internet 25/TCP --> eth2
> - LAN to Internet 80/TCP --> eth1
>
> I have this routing policy :
>
> $ ip rule
> 0: from all lookup local
> 50: from all lookup main
> 101: from all fwmark 0xd3d lookup 203
> 103: from all fwmark 0x19 lookup 203
> 104: from all fwmark 0x50 lookup 202
> 201: from 192.168.1.0/29 lookup 201
> 202: from 192.168.0.0/24 lookup 202
> 203: from 192.168.2.0/29 lookup 203
> 222: from all lookup 222
> 32766: from all lookup main
> 32767: from all lookup default
>
> $ ip route list table main
> 193.253.176.56 dev eth0 scope link
> 81.56.255.222 dev eth1 scope link
> 195.6.84.110 dev eth2 scope link
> 192.168.2.0/29 dev eth2 proto kernel scope link src 192.168.2.1
> 192.168.1.0/29 dev eth0 proto kernel scope link src 192.168.1.1
> 192.168.254.0/26 dev eth0 scope link
> 10.0.0.0/24 dev br0 proto kernel scope link src 10.0.0.3
> 192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1
>
> $ ip route list table 201
> default via 192.168.1.6 dev eth0 proto static src 192.168.1.1
> prohibit default proto static metric 1
>
> $ ip route list table 202
> default via 192.168.0.6 dev eth1 proto static src 192.168.0.1
> prohibit default proto static metric 1
>
> $ ip route list table 203
> default via 192.168.2.6 dev eth2 proto static src 192.168.2.1
> prohibit default proto static metric 1
>
> $ ip route list table 222
> default proto static
> nexthop via 192.168.1.6 dev eth0 weight 1
> nexthop via 192.168.0.6 dev eth1 weight 4
> nexthop via 192.168.2.6 dev eth2 weight 4
>
>
> And, I mark the paquet with this rule :
>
> iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark
> 3389
> iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80
>
>
>
> My problem, is that the HTTP is to route to all the interfaces, the SMTP
> seems to be route to the good interface (eth2), and the TSE (3389) is
> route to all the interfaces.
>
> I do not understand which is the problem, can you help me ?
>
Hi,
In my preceding example, I had enabled the connection tracking:
iptables -t mangle -A PREROUTING -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED,RELATED
-j ACCEPT
iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
And, I mark the paquet with this rule :
iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark
3389
iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80
That did not run ! :(
I disabled the connexion tracking and I modified the rules like this,
and that seems to run :
iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 3389 -j MARK
--set-mark 3389
iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 3389 -j MARK
--set-mark 3389
iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 3389 -j MARK
--set-mark 3389
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 3389 -j MARK
--set-mark 3389
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 3389 -j MARK
--set-mark 3389
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 3389 -j MARK
--set-mark 3389
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 3389 -j MARK
--set-mark 3389
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 25 -j MARK --set-mark 25
iptables -t mangle -A FORWARD -o eth0 -p tcp --dport 80 -j MARK
--set-mark 80
iptables -t mangle -A FORWARD -o eth1 -p tcp --dport 80 -j MARK
--set-mark 80
iptables -t mangle -A FORWARD -o eth2 -p tcp --dport 80 -j MARK
--set-mark 80
iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A OUTPUT -o eth1 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A OUTPUT -o eth2 -p tcp --dport 80 -j MARK --set-mark 80
iptables -t mangle -A PREROUTING -i br0 -p tcp --dport 80 -j MARK
--set-mark 80
Can you say to me if it is the good method?
I am astonished to mark the packets on the three output interface.
Regards.
--
=======================
| FREDERIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:frederic@juliana-multimedia.com |
=============Þbian=GNU/Linux=
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [LARTC] Re: Pb routing/fwmark
2005-12-28 16:01 [LARTC] Re: Pb routing/fwmark Frédéric Massot
@ 2005-12-28 16:43 ` Jody Shumaker
2005-12-29 17:39 ` Frédéric Massot
1 sibling, 0 replies; 3+ messages in thread
From: Jody Shumaker @ 2005-12-28 16:43 UTC (permalink / raw)
To: lartc
[-- Attachment #1.1: Type: text/plain, Size: 1636 bytes --]
>
> In my preceding example, I had enabled the connection tracking:
>
> iptables -t mangle -A PREROUTING -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -t mangle -A POSTROUTING -m state --state ESTABLISHED,RELATED
> -j ACCEPT
> iptables -t mangle -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -t mangle -A OUTPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -t mangle -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
This was definately your problem. How is this "connection tracking" ? all
these rules say is, if the state matches established or related, then accept
it. When that happens, no further processing is done. You basically made
all packets for previously established or related connections not get marked
as they left the chain before the mark targets. Running :
iptables -t mangle -L -xvn
Would have likely shown hardly any hits to the set mark rules, and the
majority of the packets hitting those above 5 rules.
And, I mark the paquet with this rule :
>
> iptables -t mangle -A PREROUTING -p tcp --dport 3389 -j MARK --set-mark
> 3389
> iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 25
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 80
>
> That did not run ! :(
<snip>
Can you say to me if it is the good method?
>
> I am astonished to mark the packets on the three output interface.
I only think you needed to either remove those -j ACCEPT targets, optionally
change it so they are at the end of the chain, or atleast after the -j MARK
targets.
- Jody
[-- Attachment #1.2: Type: text/html, Size: 2174 bytes --]
[-- Attachment #2: Type: text/plain, Size: 143 bytes --]
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
* [LARTC] Re: Pb routing/fwmark
2005-12-28 16:01 [LARTC] Re: Pb routing/fwmark Frédéric Massot
2005-12-28 16:43 ` Jody Shumaker
@ 2005-12-29 17:39 ` Frédéric Massot
1 sibling, 0 replies; 3+ messages in thread
From: Frédéric Massot @ 2005-12-29 17:39 UTC (permalink / raw)
To: lartc
Jody Shumaker wrote:
>
[...]
>
> This was definately your problem. How is this "connection tracking" ?
> all these rules say is, if the state matches established or related,
> then accept it. When that happens, no further processing is done. You
> basically made all packets for previously established or related
> connections not get marked as they left the chain before the mark
> targets. Running :
> iptables -t mangle -L -xvn
> Would have likely shown hardly any hits to the set mark rules, and the
> majority of the packets hitting those above 5 rules.
>
[...]
>
> I only think you needed to either remove those -j ACCEPT targets,
> optionally change it so they are at the end of the chain, or atleast
> after the -j MARK targets.
>
In the general case with several interfaces, how to mark the packets so
that some use one interface. I do not know if my configuration is correct.
Regards.
--
=======================
| FREDERIC MASSOT |
| http://www.juliana-multimedia.com |
| mailto:frederic@juliana-multimedia.com |
=============Þbian=GNU/Linux=
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-12-29 17:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-28 16:01 [LARTC] Re: Pb routing/fwmark Frédéric Massot
2005-12-28 16:43 ` Jody Shumaker
2005-12-29 17:39 ` Frédéric Massot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.