From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Daniel Chemko" Date: Mon, 22 Sep 2003 19:15:38 +0000 Subject: [LARTC] Proxy Server Routing - One last try MIME-Version: 1 Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C3813D.E81B0037" Message-Id: List-Id: To: lartc@vger.kernel.org This is a multi-part message in MIME format. ------_=_NextPart_001_01C3813D.E81B0037 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Objective: =20 All web traffic originating from my proxy server should be forwarded through interface eth2 instead of the default eth0. The reply should take the same path back to the proxy server. =20 =20 Problem: =20 On the return bout, the kernel doesn't pass the packet to the higher layers. The reply seems to be getting tossed away between PREROUTING and INPUT Netfilter chains. =20 =20 Host Setup: =20 Kernel Version: 2.4.22 with Netfilter base patches from CVS Sept. 10; Redhat 9 options w/all Netfilter modules =20 Network Map: eth0 --- Default Route, Default Internet Access eth2 -| eth3 -|- Alternative Internet Access eth4 -| =20 Relevant Configuration: as its outgoing address> iptables -t mangle -A OUTPUT -m owner --uid-owner squid1 -p tcp --dport 80 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -o eth2 --source ! -j DROP ip rule add fwmark 1 table 100 ip route add default via src dev eth2 table 100 =20 =20 Results: =20 Sep 22 11:20:02 gw2 kernel: OUTPUT - IN=3D OUT=3Deth0 SRC=3D DST=3D216.239.39.99 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D26601 = DF PROTO=3DTCP SPT=3D37984 DPT=3D80 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0=20 to force the outgoing interface> Sep 22 11:20:02 gw2 kernel: POSTROUTING - IN=3D OUT=3Deth2 = SRC=3D DST=3D216.239.39.99 LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D26602 = DF PROTO=3DTCP SPT=3D37984 DPT=3D80 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0=20 Sep 22 11:20:02 gw2 kernel: PREROUTING - IN=3Deth2 OUT=3D MAC=3D00:05:5d:64:9a:f2:00:00:77:92:56:92:08:00 SRC=3D216.239.39.99 DST=3D LEN=3D44 TOS=3D0x00 PREC=3D0x00 TTL=3D240 ID=3D16723 = PROTO=3DTCP SPT=3D80 DPT=3D37984 WINDOW=3D8190 RES=3D0x00 ACK SYN URGP=3D0 =20 =20 =20 ------_=_NextPart_001_01C3813D.E81B0037 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Objective:

 

All web traffic originating from my proxy server = should be forwarded through interface eth2 instead of the default eth0. The reply = should take the same path back to the proxy server.

 

 

Problem:

 

On the return bout, the kernel doesn’t pass the = packet to the higher layers. The reply seems to be getting tossed away between = PREROUTING and INPUT Netfilter chains.

 

 

Host Setup:

 

Kernel Version:

2.4.22 with Netfilter base patches from CVS Sept. 10; = Redhat 9 options w/all Netfilter modules

 

Network Map:

eth0 --- Default = Route, Default Internet Access

eth2 -|

eth3 -|- Alternative Internet = Access

eth4 -|

 

Relevant Configuration:

   <Squid proxy is set to use = <eth2_ip> as its outgoing address>

iptables -t mangle -A OUTPUT -m owner --uid-owner = squid1 -p tcp --dport 80 -j MARK --set-mark 1

iptables -t mangle -A POSTROUTING -o eth2 --source ! <eth2_ip> -j DROP

ip rule add fwmark 1 table 100

ip route add default via <eth2_gw> src = <eth2_ip> dev eth2 table 100

   <Logs for mangle = in,out.pre,post>

   <NAT / Filter tables are basically = empty for this test>

  

 

Results:

 

Sep 22 11:20:02 gw2 = kernel: OUTPUT - IN=3D OUT=3Deth0 SRC=3D<eth2_ip> DST=3D216.239.39.99 LEN=3D60 = TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D26601 DF PROTO=3DTCP SPT=3D37984 DPT=3D80 WINDOW=3D5840 = RES=3D0x00 SYN URGP=3D0

   <Strange that the first round of = routing didn't use the <eth2_ip> to force the outgoing = interface>

Sep 22 11:20:02 gw2 = kernel: POSTROUTING - IN=3D OUT=3Deth2 SRC=3D<eth2_ip> DST=3D216.239.39.99 = LEN=3D60 TOS=3D0x00 PREC=3D0x00 TTL=3D64 ID=3D26602 DF PROTO=3DTCP SPT=3D37984 = DPT=3D80 WINDOW=3D5840 RES=3D0x00 SYN URGP=3D0

   <Ok, its looking better after the = fwmark is processed>

Sep 22 11:20:02 gw2 = kernel: PREROUTING - IN=3Deth2 OUT=3D = MAC=3D00:05:5d:64:9a:f2:00:00:77:92:56:92:08:00 SRC=3D216.239.39.99 DST=3D<eth2_ip> LEN=3D44 TOS=3D0x00 = PREC=3D0x00 TTL=3D240 ID=3D16723 PROTO=3DTCP SPT=3D80 DPT=3D37984 WINDOW=3D8190 RES=3D0x00 ACK = SYN URGP=3D0

   <IP_CONNTRTACK detects = SYN_RECV>

   <netstat detects = SYN_SENT>

   <Kernel retries sending SYN until timeout>

   <So, it never reaches back up to the = socket layer... I’m screwed>

 

 

 

=00 ------_=_NextPart_001_01C3813D.E81B0037-- _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/