[LARTC] Problem routing packets using fwmark and netfilter

[LARTC] Problem routing packets using fwmark and netfilter

[Stephane Ouellette]

Folks,

   I will install in a near future a firewall/router on which two NICs 
are connected to two different ISPs.  I have read the iproute2 
documentation and have been able to do some policy routing.


SUCCESSFUL TEST
---------------

Let's start with a simple ping test. I will ping two known computers on 
the internet using different gateways.

Following are the commands I have entered to enable policy routing using 
   the destination address as the routing key (Suppose that eth0 and 
eth1 are the NICs connected to my ISPs):

ip route add $LAN1 dev eth0 src $MYADDR1 table lan1
ip route add default via $GATEWAY1 table lan1

ip route add $LAN2 dev eth1 src $MYADDR2 table lan2
ip route add default via $GATEWAY2 table lan2

ip rule add to $TESTMACHINE1 table lan1
ip rule add to $TESTMACHINE2 table lan2


Now, pinging $TESTMACHINE1 or $TESTMACHINE2 shows the expected behaviour.


MY PROBLEM
----------

Suppose I want to do some policy routing using the fwmark as a routing 
key. I should have entered the following commands:

iptables -t mangle -A OUTPUT -o eth0 -p icmp --icmp-type \
-d $TESTMACHINE1 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -o eth1 -p icmp --icmp-type \
-d $TESTMACHINE2 -j MARK --set-mark 2
ip rule add fwmark 1 table lan1
ip rule add fwmark 2 table lan2

Now, pinging $TESTMACHINE1 or $TESTMACHINE2 always uses the same 
gateway! The iptables rule counters increment as expected but it seems 
that the fwmark has no effect on routing !!!


MY CONFIGURATION
----------------

RedHat 7.2 on i686
Kernel 2.4.20-pre9 (all options related to advanced routing are enabled)
Today's CVS snapshot of the Netfilter project



Any suggestion would be greatly appreciated !!!

Stephane.


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Problem routing packets using fwmark and netfilter

[Ramin Alidousti]

On Mon, Oct 07, 2002 at 12:28:46PM -0400, Stephane Ouellette wrote:

> MY PROBLEM
> ----------
> 
> Suppose I want to do some policy routing using the fwmark as a routing 
> key. I should have entered the following commands:
> 
> iptables -t mangle -A OUTPUT -o eth0 -p icmp --icmp-type \
> -d $TESTMACHINE1 -j MARK --set-mark 1
> iptables -t mangle -A OUTPUT -o eth1 -p icmp --icmp-type \
> -d $TESTMACHINE2 -j MARK --set-mark 2

I'd remove the '-o' option as you don't know yet where the packets
would be routed to.

Ramin
PS. You forgot the --icmp-type argument. Did your linux box take
these commands?


> ip rule add fwmark 1 table lan1
> ip rule add fwmark 2 table lan2
> 
> Now, pinging $TESTMACHINE1 or $TESTMACHINE2 always uses the same 
> gateway! The iptables rule counters increment as expected but it seems 
> that the fwmark has no effect on routing !!!
> 
> 
> MY CONFIGURATION
> ----------------
> 
> RedHat 7.2 on i686
> Kernel 2.4.20-pre9 (all options related to advanced routing are enabled)
> Today's CVS snapshot of the Netfilter project
> 
> 
> 
> Any suggestion would be greatly appreciated !!!
> 
> Stephane.
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Problem routing packets using fwmark and netfilter

[Stephane Ouellette]

Ramin Alidousti wrote:
> On Mon, Oct 07, 2002 at 12:28:46PM -0400, Stephane Ouellette wrote:
> 
> 
>>MY PROBLEM
>>----------
>>
>>Suppose I want to do some policy routing using the fwmark as a routing 
>>key. I should have entered the following commands:
>>
>>iptables -t mangle -A OUTPUT -o eth0 -p icmp --icmp-type \
>>-d $TESTMACHINE1 -j MARK --set-mark 1
>>iptables -t mangle -A OUTPUT -o eth1 -p icmp --icmp-type \
>>-d $TESTMACHINE2 -j MARK --set-mark 2
> 
> 
> I'd remove the '-o' option as you don't know yet where the packets
> would be routed to.
> 
> Ramin
> PS. You forgot the --icmp-type argument. Did your linux box take
> these commands?
> 

Ramin,

   I mistyped the commands I entered. In fact, you should read:

iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
-d $TESTMACHINE1 -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
-d $TESTMACHINE2 -j MARK --set-mark 2

Stephane


> 
> 
>>ip rule add fwmark 1 table lan1
>>ip rule add fwmark 2 table lan2
>>
>>Now, pinging $TESTMACHINE1 or $TESTMACHINE2 always uses the same 
>>gateway! The iptables rule counters increment as expected but it seems 
>>that the fwmark has no effect on routing !!!
>>
>>
>>MY CONFIGURATION
>>----------------
>>
>>RedHat 7.2 on i686
>>Kernel 2.4.20-pre9 (all options related to advanced routing are enabled)
>>Today's CVS snapshot of the Netfilter project
>>
>>
>>
>>Any suggestion would be greatly appreciated !!!
>>
>>Stephane.
>>
>>
>>_______________________________________________
>>LARTC mailing list / LARTC@mailman.ds9a.nl
>>http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 
> 



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Problem routing packets using fwmark and netfilter

[Ramin Alidousti]

On Mon, Oct 07, 2002 at 06:21:52PM -0400, Stephane Ouellette wrote:

> >>Suppose I want to do some policy routing using the fwmark as a routing 
> >>key. I should have entered the following commands:
> >>
> >>iptables -t mangle -A OUTPUT -o eth0 -p icmp --icmp-type \
> >>-d $TESTMACHINE1 -j MARK --set-mark 1
> >>iptables -t mangle -A OUTPUT -o eth1 -p icmp --icmp-type \
> >>-d $TESTMACHINE2 -j MARK --set-mark 2
> >
> >
> >I'd remove the '-o' option as you don't know yet where the packets
> >would be routed to.
> >
> >Ramin
> >PS. You forgot the --icmp-type argument. Did your linux box take
> >these commands?
> >
> 
> Ramin,
> 
>   I mistyped the commands I entered. In fact, you should read:

That's what I figured :-)

But anyway, did you try these rules without the '-o' options?
Another point is that if I remember correctly, either mangle or nat
used to have problems with the OUTPUT chain in the past.

Ramin

> 
> iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
> -d $TESTMACHINE1 -j MARK --set-mark 1
> iptables -t mangle -A OUTPUT -p icmp --icmp-type echo-request \
> -d $TESTMACHINE2 -j MARK --set-mark 2
> 
> Stephane
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/