Re: [LARTC] OUTPUT chain marking after or before routing?

From: "Martin A. Brown" <mabrown-lartc@securepipe.com>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] OUTPUT chain marking after or before routing?
Date: Fri, 18 Jul 2003 18:41:05 +0000	[thread overview]
Message-ID: <marc-lartc-105855390301686@msgid-missing> (raw)
In-Reply-To: <marc-lartc-105842045025983@msgid-missing>

 : I'm very confused now. Look what is written in the iptables man page:
 :
 : #############
 :  mangle This  table  is used for specialized packet alteration.  It has two
 : built-in
 :               chains: PREROUTING (for altering incoming packets before
 : routing) and OUTPUT
 :               (for altering locally-generated packets before routing).
 : ######################
 :
 : So how it is? OUTPUT marks packets AFTER or BEFORE routing?

Hmph.  It certainly seems that somebody is lying!  I defer to those who
know the kernel better on such matters, but my understanding is in line
with the KPTD.

 : > I see two potential approaches to this problem:
 : >
 : >   - invert your logic; main routing table uses ppp0 gateway IP as default
 : >     gateway, mark all traffic passing through your router box, and use
 : >     "ip rule add fwmark $MARK table $INTERNET" with another routing
 : >     table for the Internet-bound traffic.
 :
 : This approach is harder for me because this is a working gateway and I
 : don't wan't to disturb the users with my tests. But, it is a very good
 : idea and maybe I will try it.

I can certainly respect that--one note, though this still doesn't solve
the problem of the squid traffic which is also locally generated.

 : >   - send all locally generated traffic via ppp0; "ip rule add iif lo
 : >     table smtp" and watch all traffic generated on the local machine leave
 : >     via ppp0.  You'll want to add the locally connected networks to table
 : >     smtp.

 : I also tried that and it works. But I don't want to send all locally
 : generated traffic to ppp0. In fact I want only the smtp traffic on
 : ppp0. The Web traffic (including Squid generated, which is locally
 : generated) must go to eth2.

Can you force traffic from squid to leave with a particular source IP
address?  (I do not know how you would do this with any SMTP client, but
you could equally do the same with your SMTP client software.)

Here's the idea:

  - force squid traffic to be initiated with a source IP of 192.168.1.100
  - "ip rule add iif lo table smtp"
  - "ip rule add iif lo from 192.168.1.100 table main"

This still means that other locally generated traffic will leave via your
ppp0.  So, instead........

  - force smtp traffic to be initiated with a source IP of 80.97.105.98
  - "ip rule add iif lo from 192.168.1.100 table smtp"

All other traffic will go via the default route in table main, which will
push the traffic out your eth2 link.

Good luck,

-Martin

-- 
Martin A. Brown --- SecurePipe, Inc. --- mabrown@securepipe.com

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/