From mboxrd@z Thu Jan 1 00:00:00 1970 From: Arindam Haldar Date: Fri, 11 Oct 2002 04:16:38 +0000 Subject: [LARTC] owner based policy routing Message-Id: List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org hi all, THE SCENARIO: we are connected to 2 isp, both having their large network.. isp A has gateway with ofc network while ispB has satellite gateway & hence there are advantages to take specific routes thru specific isp. PRESENT IMPLEMENTATION: the present linux box with kernel-2.4.19, julains multiroute patch, iproute-ss020116, htb3.6-020525 & iptables-1.2.7a... this box has 5 ether ports & presently doing only **source** based policy routing for access to internet...at present no squid is implemented in this box... things are working good for last 40-45 days ! THE RULES DEFINED: 10: from all lookup main 50: from lookup ispA 50: from all fwmark 50 lookup ispA 75: from lookup ispB 75: from all fwmark 75 lookup GNFC 100: from lookup balance 100: from lookup balance 100: from lookup balance 100: from all fwmark 100 lookup balance 32766: from all lookup main 32767: from all lookup default THE ROUTES: [root@ICG surfNet]# ip route ls ta ispA default via dev eth3 proto static src prohibit default proto static metric 1 [root@ICG surfNet]# ip route ls ta ispB default via dev eth0 proto static src prohibit default proto static metric 1 [root@ICG surfNet]# ip route ls ta balance default proto static nexthop via dev eth3 weight 3 nexthop via dev eth0 weight 1 prohibit default proto static metric 1 [root@ICG surfNet]# ip route ls ta default default via dev eth0 THE GOAL: we want policy routing based on owner of the packet, in perticular we want to handle squid to take the best path--best path according to us(pls no BGP here). WHAT WE TRIED: we tried using iptables owner based rules & marked packets( as one can see in rules above), but it didnt help. iptables -I OUTPUT -t mangle -m owner --uid-owner -d 202.0.0.0/8 -j MARK --set-mark 50 iptables -I OUTPUT -t mangle -m owner --uid-owner -d 204.0.0.0/7 -j MARK --set-mark 50 iptables -I OUTPUT -t mangle -m owner --uid-owner -d 203.0.0.0/8 -j MARK --set-mark 75 iptables -I OUTPUT -t mangle -m owner --uid-owner -d 216.0.0.0/8 -j MARK --set-mark 75 but packets were not marked as seen by >> iptables -nvL -t mangle & hence owner based pilicy routing not working ... hence now we turn to the list for help.. awaiting a reply ... thanx to you all in advance... A.H _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/