RE: [LARTC] ipchains iproute2 and port based routing

From: "Marco Balle" <mb@monster-server.de>
To: lartc@vger.kernel.org
Subject: RE: [LARTC] ipchains iproute2 and port based routing
Date: Wed, 09 Oct 2002 17:43:02 +0000	[thread overview]
Message-ID: <marc-lartc-103418546910292@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103416308716008@msgid-missing>

Hi Martin!

I send this mail with a other E-Mal account - because I am now at home,
but I am Marco!!

Okay, I tried this. But is does not work.

It is very strange, because I made a tcpdump and the result shows it is
the masq?
The configuration:

ipchains -A input -p icmp -s 192.168.0.0/24 -m 2
ip ru add fwmark 2 table 10
ip route add default via x.x.x.x dev eth2 table 10
ipchains -A forward -s 192.168.0.0/24 -j MASQ
* x.x.x.x is the default gateway!

here the tcpdump on eth2 during a ping from internal 192.168.0.31 to a
host in the internet (ping 62.154.89.102 - 4 times timeout):

tcpdump: listening on eth2
19:20:28.532089 y.y.y.y > L-EB1.L.DE.net.dtag.de: icmp: echo request
19:20:28.572089 L-EB1.L.DE.net.dtag.de > y.y.y.y: icmp: echo reply
19:20:33.532089 arp who-has x.x.x.x tell y.y.y.y
19:20:33.532089 arp reply x.x.x.x is-at 0:0:c0:b1:a9:90
19:20:33.852089 y.y.y.y > L-EB1.L.DE.net.dtag.de: icmp: echo request
19:20:33.882089 L-EB1.L.DE.net.dtag.de > y.y.y.y: icmp: echo reply
19:20:38.852089 y.y.y.y > L-EB1.L.DE.net.dtag.de: icmp: echo request
19:20:38.892089 L-EB1.L.DE.net.dtag.de > y.y.y.y: icmp: echo reply
19:20:43.862089 y.y.y.y > L-EB1.L.DE.net.dtag.de: icmp: echo request
19:20:43.902089 L-EB1.L.DE.net.dtag.de > y.y.y.y: icmp: echo reply

y.y.y.y = the ip of eth2
x.x.x.x = the gateway

You can see, the ping goes out and returns on the eth2 interface. But it
will not be masqueraded to the internal host 192.168.0.31.
On this host, I started the ping.
Other strange thing: after the return of the first reply, there is a
pause of 5 seconds. After that comes a arp request.

And anything else: if I delete the rule fwmark 2 table 10, the client
(192.168.0.31) shows during a ping to outside:
192.168.0.1 (ip of eth0): no route to host

The ip rule seems to work and the ip route too because the icmp packet
goes out and comes back. But why will it not be route to the internal
host, which has sent it?

I really do not know what is wrong here.

If I do:

ip ru add default via x.x.x.x dev eth2

Everything works well - everything goes over eth2.

You wrote:
> : ip ro add 0/0 dev eth2 table s-dsl
> : ip ro add 0/0 dev ppp0 table a-dsl
>
>You need to specify a default gateway here, or else you are telling
your
>box to route 0/0 directly out the interface--which means it will arp
for
>every address on the Internet on your local ethernet!
>
>ip route add 0/0 via x.x.x.x table s-dsl
>ip route add 0/0 via x.x.x.x table a-dsl
>
>should do it.  You can use the "dev $DEVNAME" if you wish.
>
> : The maqerading is also setup:
> : ipchains -A forward -s 192.168.0.0/24 -j MASQ
>
> : How can i test, if the packtes get marked?
>
>Look at the verbose ipchains output ("ipchains -nvL forward") output to
>see if the usage counter on the particular chain increments.

And with ipchains -nvL, i can see the packets will be marked in the
input chain. This seems to work too.

Hope anybody have I idea.

Best Regards

Marco

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/