[LARTC] Proxy Server Routing - One last try

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Daniel Chemko" <dchemko@smgtec.com>
To: lartc@vger.kernel.org
Subject: [LARTC] Proxy Server Routing - One last try
Date: Mon, 22 Sep 2003 19:15:38 +0000	[thread overview]
Message-ID: <marc-lartc-106425823421479@msgid-missing> (raw)

[-- Attachment #1: Type: text/plain, Size: 2205 bytes --]

Objective:

 

All web traffic originating from my proxy server should be forwarded
through interface eth2 instead of the default eth0. The reply should
take the same path back to the proxy server.

 

 

Problem:

 

On the return bout, the kernel doesn't pass the packet to the higher
layers. The reply seems to be getting tossed away between PREROUTING and
INPUT Netfilter chains.

 

 

Host Setup:

 

Kernel Version:

2.4.22 with Netfilter base patches from CVS Sept. 10; Redhat 9 options
w/all Netfilter modules

 

Network Map:

eth0 --- Default Route, Default Internet Access

eth2 -|

eth3 -|- Alternative Internet Access

eth4 -|

 

Relevant Configuration:

   <Squid proxy is set to use <eth2_ip> as its outgoing address>

iptables -t mangle -A OUTPUT -m owner --uid-owner squid1 -p tcp --dport
80 -j MARK --set-mark 1

iptables -t mangle -A POSTROUTING -o eth2 --source ! <eth2_ip> -j DROP

ip rule add fwmark 1 table 100

ip route add default via <eth2_gw> src <eth2_ip> dev eth2 table 100

   <Logs for mangle in,out.pre,post>

   <NAT / Filter tables are basically empty for this test>

   

 

Results:

 

Sep 22 11:20:02 gw2 kernel: OUTPUT - IN= OUT=eth0 SRC=<eth2_ip>
DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26601 DF PROTO=TCP
SPT=37984 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

   <Strange that the first round of routing didn't use the <eth2_ip> to
force the outgoing interface>

Sep 22 11:20:02 gw2 kernel: POSTROUTING - IN= OUT=eth2 SRC=<eth2_ip>
DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26602 DF PROTO=TCP
SPT=37984 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

   <Ok, its looking better after the fwmark is processed>

Sep 22 11:20:02 gw2 kernel: PREROUTING - IN=eth2 OUT=
MAC=00:05:5d:64:9a:f2:00:00:77:92:56:92:08:00 SRC=216.239.39.99
DST=<eth2_ip> LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=16723 PROTO=TCP
SPT=80 DPT=37984 WINDOW=8190 RES=0x00 ACK SYN URGP=0

   <IP_CONNTRTACK detects SYN_RECV>

   <netstat detects SYN_SENT>

   <Kernel retries sending SYN until timeout>

   <So, it never reaches back up to the socket layer... I'm screwed>

 

 

 


[-- Attachment #2: Type: text/html, Size: 9201 bytes --]

                 reply	other threads:[~2003-09-22 19:15 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=marc-lartc-106425823421479@msgid-missing \
    --to=dchemko@smgtec.com \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.