* [LARTC] Splitting locally generated traffic based on destination port
@ 2002-08-31 19:03 Arthur Donkers
2002-08-31 19:46 ` [LARTC] Splitting locally generated traffic based on destination Miernik
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Arthur Donkers @ 2002-08-31 19:03 UTC (permalink / raw)
To: lartc
Hi All,
I have a Linux box (2.4.19, iptables 1.2.6a) that has two Ethernet
interfaces. Eth0 is connected to a cisco which is connected to the
Internet via a leasedline. Eth1 is connected to an ADSL connection.
Both interfaces have a fixed IP address, and the default route points
over the ADSL connection (because this is used for browsing, ftp and
such).
However, the Eth0 has the 'official' IP address and should be used for
send e-mail and some ssh traffic.
I already defined a policy to return incoming traffic over the interface
it was received, so both interface can be contacted via the Internet.
My question now is how to define a policy so specific traffic, generated
locally by sendmail and ssh, uses eth0 as its interface in stead of eth1
which is used for the default route ?
I already mark outgoing traffic in the mangle table thus
iptables -A OUTPUT -t mangle -p tcp --dport 25 -j MARK --set-mark 1
I have to SNAT outgoing traffic as well:
iptables -A POSTROUTING -t nat -m mark --mark 1 -j SNAT --to-source <eth0>
I have added a table mail.out to /etc/iproute2/rt_tables and defined rules
like this:
ip rule add fwmark 1 table mail.out
ip route add default via <gw on eth0 network> dev eth0 src <eth0>
And when I do this:
telnet <mailhost> 25
I indeed see a SYN packet coming out of eth0 to <mailhost>, and a SYN/ACK
packet comes back. The problem is that it appears that the Linux box does
not see this SYN/ACK packet and resends the SYN packet after a few
seconds, which again is answered by a SYN/ACK and this goes on a few
times. No other packet filters are active on the Linux box (yet).
So how do I get this setup to work ? Am I heading for the wrong direction
with the policy or is there something else missing ?
thnx in advance,
Arthur Donkers
--
/* Disclaimer : you hire my skills, not my opinions, those are mine ! */
/* email : arthur@reseau.nl Security 'Me ? I'm not me ! I'm just a */
/* phone : (+31) 50 549 2701 is not a computer simulation of me' */
/* URL http://www.reseau.nl dirty word Red Dwarf, First Episode */
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Splitting locally generated traffic based on destination
2002-08-31 19:03 [LARTC] Splitting locally generated traffic based on destination port Arthur Donkers
@ 2002-08-31 19:46 ` Miernik
2002-08-31 19:47 ` [LARTC] Splitting locally generated traffic based on destination port Sebastian Bleikamp
2002-08-31 20:41 ` Arthur Donkers
2 siblings, 0 replies; 4+ messages in thread
From: Miernik @ 2002-08-31 19:46 UTC (permalink / raw)
To: lartc
On Sat, 31 Aug 2002, Arthur Donkers wrote:
> I have added a table mail.out to /etc/iproute2/rt_tables and defined rules
> like this:
>
> ip rule add fwmark 1 table mail.out
> ip route add default via <gw on eth0 network> dev eth0 src <eth0>
>
> And when I do this:
>
> telnet <mailhost> 25
>
> I indeed see a SYN packet coming out of eth0 to <mailhost>, and a SYN/ACK
> packet comes back. The problem is that it appears that the Linux box does
> not see this SYN/ACK packet and resends the SYN packet after a few
> seconds, which again is answered by a SYN/ACK and this goes on a few
> times. No other packet filters are active on the Linux box (yet).
Try:
echo "0" > /proc/sys/net/ipv4/conf/eth0/rp_filter
If it works, to make it permanent, include this line in your
/etc/sysctl.conf file:
net/ipv4/conf/eth0/rp_filter = 0
--
Miernik _____________________________________
/ /
tel.: +48603070983 / / mailto:miernik@ctnet.pl
__________________/___/ ICQ UIN: 4004001
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Splitting locally generated traffic based on destination port
2002-08-31 19:03 [LARTC] Splitting locally generated traffic based on destination port Arthur Donkers
2002-08-31 19:46 ` [LARTC] Splitting locally generated traffic based on destination Miernik
@ 2002-08-31 19:47 ` Sebastian Bleikamp
2002-08-31 20:41 ` Arthur Donkers
2 siblings, 0 replies; 4+ messages in thread
From: Sebastian Bleikamp @ 2002-08-31 19:47 UTC (permalink / raw)
To: lartc
Arthur Donkers wrote:
> My question now is how to define a policy so specific traffic, generated
> locally by sendmail and ssh, uses eth0 as its interface in stead of eth1
> which is used for the default route ?
>
> I already mark outgoing traffic in the mangle table thus
> iptables -A OUTPUT -t mangle -p tcp --dport 25 -j MARK --set-mark 1
> I have to SNAT outgoing traffic as well:
> iptables -A POSTROUTING -t nat -m mark --mark 1 -j SNAT --to-source <eth0>
> I have added a table mail.out to /etc/iproute2/rt_tables and defined rules
> like this:
> ip rule add fwmark 1 table mail.out
> ip route add default via <gw on eth0 network> dev eth0 src <eth0>
>
> And when I do this:
> telnet <mailhost> 25
>
> I indeed see a SYN packet coming out of eth0 to <mailhost>, and a SYN/ACK
> packet comes back. The problem is that it appears that the Linux box does
> not see this SYN/ACK packet and resends the SYN packet after a few
> seconds, which again is answered by a SYN/ACK and this goes on a few
> times. No other packet filters are active on the Linux box (yet).
Hello Arthur,
I´m not a professional in routing, but I think I´ve read something about
the routing mechanism:
Packet ---> Table PREROUTING -+-> Table FORWARD -+-> Table POSTROUTING
| | (and then out)
+-> Table INCOMING |
|
Table OUTGOING -+
The problem is, that the routing decision is done AFTER processing the
forward table, but BEFORE the postrouting table (NAT). So it is possible
to modify the packets in POSTROUTING that way, that they will go out via
device A, but have the ip of the other device B.
If the "answer" packet comes in at A (but are addressed to B), the
address will be checked and device A drops (/does not listen to) them.
("Hey, that packet is not for me !").
Possible unclean variant to fix that would be to put device A in the so
called "promisc" (promiscueing ?) mode, where all packets are processed.
Clean variant is _not_ to do NAT by the filter. Make the _routing_
decision depending on the filter. And NAT is done afterwards based on
the routing.
Hope I told not too much wrong,
Sebastian
-=> Sebastian Bleikamp
-=> EMail: <Sebastian.Bleikamp@web.de>
-=> Phone: +49-172-6545394
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] Splitting locally generated traffic based on destination port
2002-08-31 19:03 [LARTC] Splitting locally generated traffic based on destination port Arthur Donkers
2002-08-31 19:46 ` [LARTC] Splitting locally generated traffic based on destination Miernik
2002-08-31 19:47 ` [LARTC] Splitting locally generated traffic based on destination port Sebastian Bleikamp
@ 2002-08-31 20:41 ` Arthur Donkers
2 siblings, 0 replies; 4+ messages in thread
From: Arthur Donkers @ 2002-08-31 20:41 UTC (permalink / raw)
To: lartc
On Sat, Aug 31, 2002 at 09:46:31PM +0200, Miernik wrote:
> On Sat, 31 Aug 2002, Arthur Donkers wrote:
>
> > I have added a table mail.out to /etc/iproute2/rt_tables and defined rules
> > like this:
> >
> > ip rule add fwmark 1 table mail.out
> > ip route add default via <gw on eth0 network> dev eth0 src <eth0>
> >
> > And when I do this:
> >
> > telnet <mailhost> 25
> >
> > I indeed see a SYN packet coming out of eth0 to <mailhost>, and a SYN/ACK
> > packet comes back. The problem is that it appears that the Linux box does
> > not see this SYN/ACK packet and resends the SYN packet after a few
> > seconds, which again is answered by a SYN/ACK and this goes on a few
> > times. No other packet filters are active on the Linux box (yet).
>
> Try:
>
> echo "0" > /proc/sys/net/ipv4/conf/eth0/rp_filter
>
> If it works, to make it permanent, include this line in your
> /etc/sysctl.conf file:
>
> net/ipv4/conf/eth0/rp_filter = 0
thanks ! this works !
grtz,
Arthur
>
> --
> Miernik _____________________________________
> / /
> tel.: +48603070983 / / mailto:miernik@ctnet.pl
> __________________/___/ ICQ UIN: 4004001
--
/* Disclaimer : you hire my skills, not my opinions, those are mine ! */
/* email : arthur@reseau.nl Security 'Me ? I'm not me ! I'm just a */
/* phone : (+31) 50 549 2701 is not a computer simulation of me' */
/* URL http://www.reseau.nl dirty word Red Dwarf, First Episode */
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-08-31 20:41 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-08-31 19:03 [LARTC] Splitting locally generated traffic based on destination port Arthur Donkers
2002-08-31 19:46 ` [LARTC] Splitting locally generated traffic based on destination Miernik
2002-08-31 19:47 ` [LARTC] Splitting locally generated traffic based on destination port Sebastian Bleikamp
2002-08-31 20:41 ` Arthur Donkers
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.