* [LARTC] iproute + mark question
@ 2002-05-14 14:47 Ciprian Niculescu
2002-05-14 15:20 ` Daniel K.
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: Ciprian Niculescu @ 2002-05-14 14:47 UTC (permalink / raw)
To: lartc
i want to mark the pachets generated localy, and route them differently
so the logic in me was to mark in mangle in PREROUTING, beacouse it's
PRE, don't work.
someone tell me to try in OUTPUT in mangle, did it and works
so iptables -A OUTPUT -t mangle -p udp --dport 50000:51000 -j MARK
--set-to 0x1
ip rule add fwmark 0x1 table 230
ip route add default via 194... table 230
why it works
so i undestand that OUTPUT is before ROUTING, so the order is:
gen local -> OUTPUT(mangle) -> routing -> wire
does anybody have the hole packet path, a grafic, with: mangle, nat,
filter, routing, tc, tunel, for local generated pachetd and for
FORWARDed pachets???
C
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LARTC] iproute + mark question
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
@ 2002-05-14 15:20 ` Daniel K.
2002-05-14 15:36 ` Ciprian Niculescu
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Daniel K. @ 2002-05-14 15:20 UTC (permalink / raw)
To: lartc
Ciprian Niculescu wrote:
> does anybody have the hole packet path, a grafic, with: mangle, nat,
> filter, routing, tc, tunel, for local generated pachetd and for
> FORWARDed pachets???
This is how IPTables look like.
/----------\ /-------\ /-----------\
IN--->---< PREROUTING >--->---< FORWARD >--->---< POSTROUTING >--->--OUT
\----------/ \-------/ \-----------/
\ /
\ /
/-----\ /-------------\ /------\
< INPUT >--->---< LOCAL PROCESS >--->---< OUTPUT >
\-----/ \-------------/ \------/
Maybe you should read some of Rusty's Remarkably Unreliable Guides
http://netfilter.samba.org/unreliable-guides/
In particular, section 6 of Linux 2.4 Packet Filtering HOWTO
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html
Daniel K.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LARTC] iproute + mark question
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
2002-05-14 15:20 ` Daniel K.
@ 2002-05-14 15:36 ` Ciprian Niculescu
2002-05-14 15:55 ` Daniel K.
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Ciprian Niculescu @ 2002-05-14 15:36 UTC (permalink / raw)
To: lartc
i did this i asked, this is what it is at sectio 6, in the link you provided
Incoming / \ Outgoing
-->[Routing ]--->|FORWARD|------->
[Decision] \_____/ ^
| |
v ____
___ / \
/ \ |OUTPUT|
|INPUT| \____/
\___/ ^
| |
----> Local Process ----
in this the local it's never "routing decision" but let's say it's for
simplicity :))
and your's is wrong too, Local Proces -> OUTPUT -> POSTROUTING -> Out
- so the routing decision is where?
- and i tryed to put the match in POSTROUTING and did not match
C
Daniel K. wrote:
> Ciprian Niculescu wrote:
>
>> does anybody have the hole packet path, a grafic, with: mangle, nat,
>> filter, routing, tc, tunel, for local generated pachetd and for
>> FORWARDed pachets???
>
>
> This is how IPTables look like.
>
> /----------\ /-------\ /-----------\
> IN--->---< PREROUTING >--->---< FORWARD >--->---< POSTROUTING >--->--OUT
> \----------/ \-------/ \-----------/
> \ /
> \ /
> /-----\ /-------------\ /------\
> < INPUT >--->---< LOCAL PROCESS >--->---< OUTPUT >
> \-----/ \-------------/ \------/
>
>
> Maybe you should read some of Rusty's Remarkably Unreliable Guides
> http://netfilter.samba.org/unreliable-guides/
>
> In particular, section 6 of Linux 2.4 Packet Filtering HOWTO
> http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html
>
>
>
> Daniel K.
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LARTC] iproute + mark question
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
2002-05-14 15:20 ` Daniel K.
2002-05-14 15:36 ` Ciprian Niculescu
@ 2002-05-14 15:55 ` Daniel K.
2002-05-14 16:13 ` Ciprian Niculescu
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Daniel K. @ 2002-05-14 15:55 UTC (permalink / raw)
To: lartc
Ciprian Niculescu wrote:
> i did this i asked, this is what it is at sectio 6, in the link you
> provided
>
> Incoming / \ Outgoing
> -->[Routing ]--->|FORWARD|------->
> [Decision] \_____/ ^
> | |
> v ____
> ___ / \
> / \ |OUTPUT|
> |INPUT| \____/
> \___/ ^
> | |
> ----> Local Process ----
>
> in this the local it's never "routing decision" but let's say it's for
> simplicity :))
>
> and your's is wrong too, Local Proces -> OUTPUT -> POSTROUTING -> Out
>
> - so the routing decision is where?
The routing desicion is between OUTPUT an POSTROUTING,
POSTROUTING means AFTER routing.
So you may say: "Locally generated packet" -> OUTPUT -> "Routing
Desicion" -> POSTROUTING.
If you want to Mangle(e.g mark) Locally generated packets, you have to
do so in the OUTPUT table. In this case it will be marked for the
routing descicion which comes next.
Daniel K.
> - and i tryed to put the match in POSTROUTING and did not match
>
> C
>
>
> Daniel K. wrote:
>
>> Ciprian Niculescu wrote:
>>
>>> does anybody have the hole packet path, a grafic, with: mangle, nat,
>>> filter, routing, tc, tunel, for local generated pachetd and for
>>> FORWARDed pachets???
>>
>>
>>
>> This is how IPTables look like.
>>
>> /----------\ /-------\ /-----------\
>> IN--->---< PREROUTING >--->---< FORWARD >--->---< POSTROUTING >--->--OUT
>> \----------/ \-------/ \-----------/
>> \ /
>> \ /
>> /-----\ /-------------\ /------\
>> < INPUT >--->---< LOCAL PROCESS >--->---< OUTPUT >
>> \-----/ \-------------/ \------/
>>
>>
>> Maybe you should read some of Rusty's Remarkably Unreliable Guides
>> http://netfilter.samba.org/unreliable-guides/
>>
>> In particular, section 6 of Linux 2.4 Packet Filtering HOWTO
>> http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/packet-filtering-HOWTO.linuxdoc.html
>>
>>
>>
>> Daniel K.
>>
>> _______________________________________________
>> LARTC mailing list / LARTC@mailman.ds9a.nl
>> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
>
>
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LARTC] iproute + mark question
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
` (2 preceding siblings ...)
2002-05-14 15:55 ` Daniel K.
@ 2002-05-14 16:13 ` Ciprian Niculescu
2002-05-14 16:21 ` Julian Anastasov
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Ciprian Niculescu @ 2002-05-14 16:13 UTC (permalink / raw)
To: lartc
> The routing desicion is between OUTPUT an POSTROUTING,
> POSTROUTING means AFTER routing.
>
> So you may say: "Locally generated packet" -> OUTPUT -> "Routing
> Desicion" -> POSTROUTING.
yes i know, i do it now, but the question was, still is, there are other
"tips" left out of the AdvRoutingHOWTO ????
so the new/more real graph is:
/----------\ /-------\ /-------\ /-----------\
IN->-< PREROUTING >->-< FORWARD >->-< routing >->-< POSTROUTING >->-OUT
\----------/ \-------/ \-------/ \-----------/
\ ^
\ |
/-----\ /-------------\ /------\
< INPUT >->-< LOCAL PROCESS >->-< OUTPUT >
\-----/ \-------------/ \------/
it's corect?
now that i started this thread, i want to finnish the picture :)
C
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LARTC] iproute + mark question
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
` (3 preceding siblings ...)
2002-05-14 16:13 ` Ciprian Niculescu
@ 2002-05-14 16:21 ` Julian Anastasov
2002-05-15 16:14 ` Jason A. Pattie
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Julian Anastasov @ 2002-05-14 16:21 UTC (permalink / raw)
To: lartc
Hello,
On Tue, 14 May 2002, Daniel K. wrote:
> >
> > - so the routing decision is where?
> The routing desicion is between OUTPUT an POSTROUTING,
> POSTROUTING means AFTER routing.
Wrong, the order is:
- routing decision requested from sockets
- OUTPUT
- netfilter routing hacks (rerouting after routing key change)
- POSTROUTING
May be one day someone will update this picture in the
right way :)
> Daniel K.
Regards
--
Julian Anastasov <ja@ssi.bg>
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LARTC] iproute + mark question
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
` (4 preceding siblings ...)
2002-05-14 16:21 ` Julian Anastasov
@ 2002-05-15 16:14 ` Jason A. Pattie
2002-05-15 16:27 ` Ciprian Niculescu
2002-05-15 16:47 ` Jason A. Pattie
7 siblings, 0 replies; 9+ messages in thread
From: Jason A. Pattie @ 2002-05-15 16:14 UTC (permalink / raw)
To: lartc
Ciprian Niculescu wrote:
> i want to mark the pachets generated localy, and route them differently
We have almost the same scenario except we need to use tcp instead of
udp and we want to direct all port 80 traffic from the internal network
out our new cable modem instead of using the older (slower) iDSL circuit.
> so iptables -A OUTPUT -t mangle -p udp --dport 50000:51000 -j MARK
> --set-to 0x1
I think this ^^^^^ needs to be
--set-mark?
It seems that 'iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK
--set-mark 0x1' works, because iptables -t mangle -L -v outputs packet
count sizes and shows that the specific rules are being matched.
> ip rule add fwmark 0x1 table 230
> ip route add default via 194... table 230
We did exactly these steps as well (except we used table 1) and gave the
rules a priority. Is this maybe where we went wrong?
It just doesn't work. The packets are being marked but are apparently
not being dumped into the correct routing table properly. When the
packets that are marked are logged, they have the source address of the
iDSL circuit instead of the cable modem because the iDSL is the default
route for the 'main' table (I assume). The web traffic does not work
either. It just seems to go out the iDSL and doesn't appear to come
back. Or if it does, it does not know how to route internally for some
reason even though the source address is the iDSL which it show know
everything it needs to know about in order to route it back into the
internal network.
Does routing table 1 need to have routes to the internal network? I
wouldn't think so, but I could be mistaken.
--
Jason A. Pattie
pattieja@pcxperience.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LARTC] iproute + mark question
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
` (5 preceding siblings ...)
2002-05-15 16:14 ` Jason A. Pattie
@ 2002-05-15 16:27 ` Ciprian Niculescu
2002-05-15 16:47 ` Jason A. Pattie
7 siblings, 0 replies; 9+ messages in thread
From: Ciprian Niculescu @ 2002-05-15 16:27 UTC (permalink / raw)
To: lartc
i did my work, my problem was that are diferences between HOWTO and realyty.
so let's see your problem
Jason A. Pattie wrote:
>
> We have almost the same scenario except we need to use tcp instead of
> udp and we want to direct all port 80 traffic from the internal network
> out our new cable modem instead of using the older (slower) iDSL circuit.
steps:
- mark pachets to port 80 comming from the internal interface
- put them in a different routing table
- put the default in the new table where do you want to go
>
>> so iptables -A OUTPUT -t mangle -p udp --dport 50000:51000 -j MARK
>> --set-to 0x1
>
> I think this ^^^^^ needs to be
> --set-mark?
yes, you right, i wrote the line from memory, not copy&paste :))
>
> It seems that 'iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK
> --set-mark 0x1' works, because iptables -t mangle -L -v outputs packet
> count sizes and shows that the specific rules are being matched.
>
>> ip rule add fwmark 0x1 table 230
>> ip route add default via 194... table 230
i sugest that you mark pachets in the PREROUTING with:
iptables -t mangle -A PREROUTING -i <internal interface> -p tcp \
--dport 80 -j MARK --set-mark 0x1
after put the
ip rule add fwmark 0x1 table 230
ip route add default via 194... table 230
to be the last lines executed in the script, in this way the rule will
be threated first, see with "ip rule" the order
hope that helps
C
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [LARTC] iproute + mark question
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
` (6 preceding siblings ...)
2002-05-15 16:27 ` Ciprian Niculescu
@ 2002-05-15 16:47 ` Jason A. Pattie
7 siblings, 0 replies; 9+ messages in thread
From: Jason A. Pattie @ 2002-05-15 16:47 UTC (permalink / raw)
To: lartc
Thanks for the response.
Ciprian Niculescu wrote:
> steps:
> - mark pachets to port 80 comming from the internal interface
> - put them in a different routing table
> - put the default in the new table where do you want to go
>
>> It seems that 'iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK
>> --set-mark 0x1' works, because iptables -t mangle -L -v outputs
>> packet count sizes and shows that the specific rules are being matched.
>>
>>> ip rule add fwmark 0x1 table 230
>>> ip route add default via 194... table 230
>>
>
>
> i sugest that you mark pachets in the PREROUTING with:
> iptables -t mangle -A PREROUTING -i <internal interface> -p tcp \
> --dport 80 -j MARK --set-mark 0x1
sorry, forgot to mention this. We have done this.
When doing a tcpdump on the cable modem, we were seeing packets coming
back from (say) yahoo.com around 10-15 seconds after sending them with
the IP address of the iDSL circuit!! which doesn't make sense at all.
> after put the
> ip rule add fwmark 0x1 table 230
> ip route add default via 194... table 230
>
> to be the last lines executed in the script, in this way the rule will
> be threated first, see with "ip rule" the order
ok.
> hope that helps
thanks.
--
Jason A. Pattie
pattieja@pcxperience.com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2002-05-15 16:47 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-05-14 14:47 [LARTC] iproute + mark question Ciprian Niculescu
2002-05-14 15:20 ` Daniel K.
2002-05-14 15:36 ` Ciprian Niculescu
2002-05-14 15:55 ` Daniel K.
2002-05-14 16:13 ` Ciprian Niculescu
2002-05-14 16:21 ` Julian Anastasov
2002-05-15 16:14 ` Jason A. Pattie
2002-05-15 16:27 ` Ciprian Niculescu
2002-05-15 16:47 ` Jason A. Pattie
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.