[LARTC] Problems with route by fwmark

From: "Sebastian Schneider" <pueba@web.de>
To: lartc@vger.kernel.org
Subject: [LARTC] Problems with route by fwmark
Date: Sat, 15 Mar 2003 12:38:23 +0000	[thread overview]
Message-ID: <marc-lartc-104773198808274@msgid-missing> (raw)

Hi, 

I have some Problems with Advanced Routing by FWMARK. Here my configuration: 

static routes ( route -n ) : 

Kernel IP routing table 
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface 
... 
192.168.1.0     10.111.111.1    255.255.255.0   UG    0      0        0 eth0 
... 
192.168.7.0      10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.6.0      10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.5.0      10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.4.0      10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.3.0      10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.2.0      10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.12.0     10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.11.0     10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.9.0      10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
192.168.8.0      10.111.111.6     255.255.255.0   UG    0      0        0 eth2 
... 

Our network 192.168.1.0/24 (reachable by eth0) is addressed with 192.168.10.0/24 for all other  
networks, which are reachable by eth2. It works fine with some SNAT-rules and DNAT-rules. The 
Big Problem is a second 192.168.1.0-network, which is reachable by eth2. Our network wants to 
address this network with 192.168.20.0/24.  

netfilterscript: 
... 
# workaround (http://lists.netfilter.org/pipermail/netfilter/2000-November/006089.html)  

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 
echo 1 > /proc/sys/net/ipv4/route/flush 

... 
# rules to route packtes from 192.168.1.0 to virtual 192.168.20.0  => to second 192.168.1.0 

/usr/sbin/iptables -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 17 

for ((i=3; i<255; i++)); do 

	/usr/sbin/iptables -t nat -A PREROUTING  -i eth0 -s 192.168.1.0/24 -d 192.168.20.${i} -j 
DNAT --to-destination 192.168.1.${i}   

	/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.${i} -o eth2 -j SNAT --to-source 
192.168.10.${i} 

...  

done 

... 

# in /etc/iproute2/rt_tables:  ... 201 m.table ... 

ip rule add fwmark 17 table m.table 

/sbin/ip route add 192.168.1.0/24 via 10.111.111.6  dev eth2 table m.table 

... 
EOnetfilterscript 

> ip rule ls 
0:      from all lookup local  
32765:  from all fwmark       17 lookup m.table  
32766:  from all lookup main  
32767:  from all lookup default 

> ip route list table m.table 
192.168.1.0/24 via  10.111.111.6  dev eth2 

But!!!! 

Packets from 192.168.1.0/24 to 192.168.20.0/24 leaves the router by eth0 (with IP-Header: 
From 192.168.1.0/24 To 192.168.1.0/24) => DNAT Works. The mangle-rule works too, because 
I log all Packets marked with 17. 

System: 

SuSE Linux 8.0 with Kernel SuSE-2.4.18-4GB  

Advanced Routing und RouteByFWMARK ist configured: 

> cd /usr/src/linux 
> make cloneconfig 
> cat ./.config | grep IP | grep ROUTE 
CONFIG_IP_ADVANCED_ROUTER=y 
CONFIG_IP_ROUTE_FWMARK=y 
CONFIG_IP_ROUTE_NAT=y 
CONFIG_IP_ROUTE_MULTIPATH=y 
CONFIG_IP_ROUTE_TOS=y 
CONFIG_IP_ROUTE_VERBOSE=y 
CONFIG_IP_ROUTE_LARGE_TABLES=y 
CONFIG_IP_MROUTE=y 

What's the Problem??? 

Thanks, 
Basti 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/