[LARTC] Linux Advanced Routing & Traffic Control

[LARTC] Linux Advanced Routing & Traffic Control

[Grant Furick]

I am trying to use netfilter (iptables) to mark packets bound for port
25 on the internal interface and then using iproute2 to route those
marked packets over the DSL.  Everything seems to work as intended
except that email traffic is going out over the internal ip (thru cable)
and not the DSL.  So it doesn't seem like the marking and routing that I
have setup is working right.

My scenario is:
1 Redhat 7.3 Linux machine (kernel 2.4.18-3)
1 network appliance
1 dsl router
1 cable modem

The linux machine has:
2 nics (1 static ip DSL, 2nd ip is internal 192.168.0.10 goes through
network appliance via nat out cable modem)

I want all traffic coming in over DSL to go out over DSL and all traffic
coming in to the internal IP to go out the internal IP.  There are
actually other internal ip lan clients but they are separate from this
scenario.  The one caveat would be to have all outgoing smtp traffic go
over the DSL.  Sendmail runs on all interfaces.  I need all outbound
email to go out over DSL because some email servers
(earthlink/mindspring) are blocking mail servers coming from certain
cable modem ips.  The last caveat is that I want the default route of
traffic, or all originating traffic that is non smtp, to go out over the
cable modem to take advantage of the fast download speed of cable as
compared to the slower DSL.

Here is the script I am running out of rc.local at boot.  Can anyone
suggest changes to make it work?

#!/bin/sh

P1_NETe.X.X.208
P2_NET\x192.168.0.0
# DSL
IF1=eth0
# Internal nat'd to cable
IF2=eth1
IP1e.X.X.210
IP2\x192.168.0.10
P1e.X.X.209
P2\x192.168.0.1

ip route add $P1_NET dev $IF1 src $IP1 table DSL
ip route add default via $P1 table DSL
ip route add $P2_NET dev $IF2 src $IP2 table CABLE
ip route add default via $P2 table CABLE
ip route add $P1_NET dev $IF1 src $IP1
ip route add $P2_NET dev $IF2 src $IP2
ip route add default via $P2
ip route add default via $P1 dev $IF1 table MAIL.OUT
ip rule add fwmark 1 table MAIL.OUT prio 220
ip rule add from $IP1 table DSL prio 230
ip rule add from $IP2 table CABLE prio 240
ip route flush cache

# End of script

This is the iptables cmd I ran and is restored on reboot by iptables: 
iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 25 -j MARK
--set-mark 1

Here is the rt_tables file:
#
# reserved values
#
#255    local
#254    main
#253    default
#0      unspec

#
# local
#
#1      inr.ruhep
200 DSL
201 CABLE
202 MAIL.OUT

I appreciate any help or direction.  I have kind of merged two scripts
from
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.ht
ml
And
http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html

Do I need to enable ip forwarding or turn off the reverse path filer?

Grant Furick


_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Linux Advanced Routing & Traffic Control

[Stephane Ouellette]

Grant Furick wrote:
> I am trying to use netfilter (iptables) to mark packets bound for port
> 25 on the internal interface and then using iproute2 to route those
> marked packets over the DSL.  Everything seems to work as intended
> except that email traffic is going out over the internal ip (thru cable)
> and not the DSL.  So it doesn't seem like the marking and routing that I
> have setup is working right.
> 
> My scenario is:
> 1 Redhat 7.3 Linux machine (kernel 2.4.18-3)
> 1 network appliance
> 1 dsl router
> 1 cable modem
> 
> The linux machine has:
> 2 nics (1 static ip DSL, 2nd ip is internal 192.168.0.10 goes through
> network appliance via nat out cable modem)
> 
> I want all traffic coming in over DSL to go out over DSL and all traffic
> coming in to the internal IP to go out the internal IP.  There are
> actually other internal ip lan clients but they are separate from this
> scenario.  The one caveat would be to have all outgoing smtp traffic go
> over the DSL.  Sendmail runs on all interfaces.  I need all outbound
> email to go out over DSL because some email servers
> (earthlink/mindspring) are blocking mail servers coming from certain
> cable modem ips.  The last caveat is that I want the default route of
> traffic, or all originating traffic that is non smtp, to go out over the
> cable modem to take advantage of the fast download speed of cable as
> compared to the slower DSL.
> 
> Here is the script I am running out of rc.local at boot.  Can anyone
> suggest changes to make it work?
> 
> #!/bin/sh
> 
> P1_NETe.X.X.208
> P2_NET\x192.168.0.0
> # DSL
> IF1=eth0
> # Internal nat'd to cable
> IF2=eth1
> IP1e.X.X.210
> IP2\x192.168.0.10
> P1e.X.X.209
> P2\x192.168.0.1
> 
> ip route add $P1_NET dev $IF1 src $IP1 table DSL
> ip route add default via $P1 table DSL
> ip route add $P2_NET dev $IF2 src $IP2 table CABLE
> ip route add default via $P2 table CABLE
> ip route add $P1_NET dev $IF1 src $IP1
> ip route add $P2_NET dev $IF2 src $IP2
> ip route add default via $P2
> ip route add default via $P1 dev $IF1 table MAIL.OUT
> ip rule add fwmark 1 table MAIL.OUT prio 220
> ip rule add from $IP1 table DSL prio 230
> ip rule add from $IP2 table CABLE prio 240
> ip route flush cache
> 
> # End of script
> 
> This is the iptables cmd I ran and is restored on reboot by iptables: 
> iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 25 -j MARK
> --set-mark 1
> 
> Here is the rt_tables file:
> #
> # reserved values
> #
> #255    local
> #254    main
> #253    default
> #0      unspec
> 
> #
> # local
> #
> #1      inr.ruhep
> 200 DSL
> 201 CABLE
> 202 MAIL.OUT
> 
> I appreciate any help or direction.  I have kind of merged two scripts
> from
> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.rpdb.multiple-links.ht
> ml
> And
> http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.netfilter.html
> 
> Do I need to enable ip forwarding or turn off the reverse path filer?
> 
> Grant Furick
> 
> 
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
> 

Grant,

   First of all, locally-generated trafic doesn't go through the 
MANGLE/PREROUTING table. It goes through the tables using the following 
order : MANGLE/OUTPUT, NAT/OUTPUT, FILTER/OUTPUT, MANGLE/POSTROUTING and 
NAT/POSTROUTING.

   I've been trying to use the fwmark as a routing key for 
locally-generated trafic and never succeeded.  The reason is that the 
routing decision is taken BEFORE the packet is sent to the MANGLE/OUTPUT 
table.  On the other hand, I can use the fwmark as a routing key for 
forwarded trafic.

   I'm no expert in sendmail, but I suggest that you modify its 
configuration to achieve your goal, which is selecting the output interface.

   To answer your last questions, you don't need to enable forwarding 
nor disable the reverse path filtering.

Regards,

Stephane.

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Re: [LARTC] Linux Advanced Routing & Traffic Control

[Stef Coene]

> Grant,
>
>    First of all, locally-generated trafic doesn't go through the
> MANGLE/PREROUTING table. It goes through the tables using the following
> order : MANGLE/OUTPUT, NAT/OUTPUT, FILTER/OUTPUT, MANGLE/POSTROUTING and
> NAT/POSTROUTING.
See http://www.docum.org/stef.coene/qos/kptd/ for an overview.

>    I've been trying to use the fwmark as a routing key for
> locally-generated trafic and never succeeded.  The reason is that the
> routing decision is taken BEFORE the packet is sent to the MANGLE/OUTPUT
> table.  On the other hand, I can use the fwmark as a routing key for
> forwarded trafic.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/