Re: [LARTC] Routing based on source port - Solution ?

Re: [LARTC] Routing based on source port - Solution ?

[Tobias]

Hello bert

I have the same problem and tried all possibities i know.

"ip rule" in fact doesnt route based on port because
IP protocol dont know about ports. BUT u can solve the problem
by using iptables/ipchains with help of MARKs - as u said.

Unfortinuatly netfilter can only set MARKs in the moment the
packets travers the INPUT Queue (of corresponding interface).

-->
netfilter is not able to set mark for _local_ created packets,
because the INPUT Queue of netfilter is not passed.

=> In fact the MARK mechanism can only be used for incoming packets.

In my scenario i would like to do port based routing on local sockets 
i cannot use the MARK feature at all. :(


I dont know of any other method to solve the problem. 
Any other solutions ??

----

I have only one "hack" in mind:
+ Setup my routing based on source-ip.
+ Change the socket() call via LD_PRELOAD to change the namespace
to a predefined IP (= source-IP change)
+ on exection of programs on the shell i preload the new socket()
 when i want to route the network datas other ways (not default one).

That way specified network transfers are done via an alternate route
defined in "ip route".
Possible one needs to HACK the source code of programs.

Anyone got ideas on this medthod ?


Thx
Tobias

On Fri, 19 Apr 2002 10:44:53 +0200
"bert hubert" <ahu@ds9a.nl> wrote:

> On Fri, Apr 19, 2002 at 09:09:35AM +0200, Daniel Ahlberg wrote:
> > Hello,
> > 
> > I have two ISPs connected to my router. Using "ip rule" I can easily divert
> > traffic to the diffrent uplinks. However, "ip rule" only seems to be able to
> > send packets according to their source or destination adress. What I want is
> > to be able to route based on protocol and source port. Is this possible, and
> > how?
> 
> I think ip rule has a syntax for that; if it doesn't, use iptables or
> ipchains to attach a mark to packets with certain source or destination port
> and create a rule that works on that mark.
> 
> Regards,
> 
> bert
> 
> -- 
> http://www.PowerDNS.com          Versatile DNS Software & Services
> http://www.tk                              the dot in .tk
> http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing based on source port - Solution ?

[Daniel Ahlberg]

> I have the same problem and tried all possibities i know.
>
> "ip rule" in fact doesnt route based on port because
> IP protocol dont know about ports. BUT u can solve the problem
> by using iptables/ipchains with help of MARKs - as u said.
>
> Unfortinuatly netfilter can only set MARKs in the moment the
> packets travers the INPUT Queue (of corresponding interface).
>
> -->
> netfilter is not able to set mark for _local_ created packets,
> because the INPUT Queue of netfilter is not passed.
>
> => In fact the MARK mechanism can only be used for incoming packets.
>
> In my scenario i would like to do port based routing on local sockets
> i cannot use the MARK feature at all. :(
>
>
> I dont know of any other method to solve the problem.
> Any other solutions ??

I too have encountered problems with the marking of packets. When I mark
packets destined to port 80 using iptables and dump the traffic using
tcpdump I can see the packet coming into the local interface (eth0) and
leaving the external interface (eth1), getting a reply from the website I'm
trying to visit on eth1 but the reply isnt sent to my computer on the local
interface. I am however using old versions of iptables (1.2.2) and iproute
(20001007) and I have yet to try out a newer version of both iproute and
iptables


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

RE: [LARTC] Routing based on source port - Solution ?

[Greg Scott]

What about some sort of DNAT redirection with iptables?

- Greg


-----Original Message-----
From: Tobias [mailto:medlor@web.de]
Sent: Friday, April 19, 2002 8:18 AM
To: lartc@mailman.ds9a.nl
Subject: Re: [LARTC] Routing based on source port - Solution ?


Hello bert

I have the same problem and tried all possibities i know.

"ip rule" in fact doesnt route based on port because
IP protocol dont know about ports. BUT u can solve the problem
by using iptables/ipchains with help of MARKs - as u said.

Unfortinuatly netfilter can only set MARKs in the moment the
packets travers the INPUT Queue (of corresponding interface).

-->
netfilter is not able to set mark for _local_ created packets,
because the INPUT Queue of netfilter is not passed.

=> In fact the MARK mechanism can only be used for incoming packets.

In my scenario i would like to do port based routing on local sockets 
i cannot use the MARK feature at all. :(


I dont know of any other method to solve the problem. 
Any other solutions ??

----

I have only one "hack" in mind:
+ Setup my routing based on source-ip.
+ Change the socket() call via LD_PRELOAD to change the namespace
to a predefined IP (= source-IP change)
+ on exection of programs on the shell i preload the new socket()
 when i want to route the network datas other ways (not default one).

That way specified network transfers are done via an alternate route
defined in "ip route".
Possible one needs to HACK the source code of programs.

Anyone got ideas on this medthod ?


Thx
Tobias

On Fri, 19 Apr 2002 10:44:53 +0200
"bert hubert" <ahu@ds9a.nl> wrote:

> On Fri, Apr 19, 2002 at 09:09:35AM +0200, Daniel Ahlberg wrote:
> > Hello,
> > 
> > I have two ISPs connected to my router. Using "ip rule" I can easily
divert
> > traffic to the diffrent uplinks. However, "ip rule" only seems to be
able to
> > send packets according to their source or destination adress. What I
want is
> > to be able to route based on protocol and source port. Is this possible,
and
> > how?
> 
> I think ip rule has a syntax for that; if it doesn't, use iptables or
> ipchains to attach a mark to packets with certain source or destination
port
> and create a rule that works on that mark.
> 
> Regards,
> 
> bert
> 
> -- 
> http://www.PowerDNS.com          Versatile DNS Software & Services
> http://www.tk                              the dot in .tk
> http://lartc.org           Linux Advanced Routing & Traffic Control HOWTO
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing based on source port - Solution ?

[Adrian Chung]

On Fri, Apr 19, 2002 at 03:18:01PM +0200, Tobias wrote:
[...]
> Unfortinuatly netfilter can only set MARKs in the moment the
> packets travers the INPUT Queue (of corresponding interface).
> 
> -->
> netfilter is not able to set mark for _local_ created packets,
> because the INPUT Queue of netfilter is not passed.
> 
> => In fact the MARK mechanism can only be used for incoming packets.

Prior to 2.4.18, the 'mangle' table had PREROUTING (for incoming
packets prior to routing) and OUTPUT (for locally generated packets)
chains.  After 2.4.18, there are INPUT, FORWARD, and POSTROUTING
chains as well.

I'm using the OUTPUT chain of the 'mangle' table to set-tos values,
but I'm pretty sure I can --set-mark instead.  I'm unable to test it
at the moment though.

--
Adrian Chung (adrian at enfusion-group dot com)
http://www.enfusion-group.com/~adrian
GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
[toad.enfusion-group.com] up 26 days, 21:07, 16 users

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Routing based on source port - Solution ?

[Tobias]

Hello Adrian

Thanks for your help. It is working with your advice to use
the mangle OUTPUT table and the ascii grafik on
http://netfilter.samba.org/documentation/HOWTO//netfilter-hacking-HOWTO.html#toc3.2 .

My simplified ruleset is:

/usr/sbin/ip rule add from $OFFICIAL_IP_of_2nd_Interface table NP
/usr/sbin/ip route add default via $2_nd_Interface_Gateway dev $DEVICE_2_ROUTE_IS_AIMED table NP

iptables -t mangle -A OUTPUT -p tcp --dport $PORTNUMBER -j MARK --set-mark 1
/usr/sbin/ip rule add fwmark 1 table NP
/usr/sbin/ip route flush cache
iptables -t nat -A POSTROUTING -o $DEVICE_2_ROUTE_IS_AIMED -p tcp --dport $PORTNUMBER -j SNAT --to $OFFICIAL_IP_of_2nd_Interface



Greets
Tobias

On Fri, 19 Apr 2002 11:34:21 -0400
"Adrian Chung" <adrian@enfusion-group.com> wrote:

> On Fri, Apr 19, 2002 at 03:18:01PM +0200, Tobias wrote:
> [...]
> > Unfortinuatly netfilter can only set MARKs in the moment the
> > packets travers the INPUT Queue (of corresponding interface).
> > 
> > -->
> > netfilter is not able to set mark for _local_ created packets,
> > because the INPUT Queue of netfilter is not passed.
> > 
> > => In fact the MARK mechanism can only be used for incoming packets.
> 
> Prior to 2.4.18, the 'mangle' table had PREROUTING (for incoming
> packets prior to routing) and OUTPUT (for locally generated packets)
> chains.  After 2.4.18, there are INPUT, FORWARD, and POSTROUTING
> chains as well.
> 
> I'm using the OUTPUT chain of the 'mangle' table to set-tos values,
> but I'm pretty sure I can --set-mark instead.  I'm unable to test it
> at the moment though.
> 
> --
> Adrian Chung (adrian at enfusion-group dot com)
> http://www.enfusion-group.com/~adrian
> GPG Fingerprint: C620 C8EA 86BA 79CC 384C E7BE A10C 353B 919D 1A17
> [toad.enfusion-group.com] up 26 days, 21:07, 16 users
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/