[LARTC] Proxy Server Routing

All of lore.kernel.org
 help / color / mirror / Atom feed

* [LARTC] Proxy Server Routing - One last try
@ 2003-09-22 19:15 Daniel Chemko
  0 siblings, 0 replies; only message in thread
From: Daniel Chemko @ 2003-09-22 19:15 UTC (permalink / raw)
  To: lartc

[-- Attachment #1: Type: text/plain, Size: 2205 bytes --]

Objective:

 

All web traffic originating from my proxy server should be forwarded
through interface eth2 instead of the default eth0. The reply should
take the same path back to the proxy server.

 

 

Problem:

 

On the return bout, the kernel doesn't pass the packet to the higher
layers. The reply seems to be getting tossed away between PREROUTING and
INPUT Netfilter chains.

 

 

Host Setup:

 

Kernel Version:

2.4.22 with Netfilter base patches from CVS Sept. 10; Redhat 9 options
w/all Netfilter modules

 

Network Map:

eth0 --- Default Route, Default Internet Access

eth2 -|

eth3 -|- Alternative Internet Access

eth4 -|

 

Relevant Configuration:

   <Squid proxy is set to use <eth2_ip> as its outgoing address>

iptables -t mangle -A OUTPUT -m owner --uid-owner squid1 -p tcp --dport
80 -j MARK --set-mark 1

iptables -t mangle -A POSTROUTING -o eth2 --source ! <eth2_ip> -j DROP

ip rule add fwmark 1 table 100

ip route add default via <eth2_gw> src <eth2_ip> dev eth2 table 100

   <Logs for mangle in,out.pre,post>

   <NAT / Filter tables are basically empty for this test>

   

 

Results:

 

Sep 22 11:20:02 gw2 kernel: OUTPUT - IN= OUT=eth0 SRC=<eth2_ip>
DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26601 DF PROTO=TCP
SPT=37984 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

   <Strange that the first round of routing didn't use the <eth2_ip> to
force the outgoing interface>

Sep 22 11:20:02 gw2 kernel: POSTROUTING - IN= OUT=eth2 SRC=<eth2_ip>
DST=216.239.39.99 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26602 DF PROTO=TCP
SPT=37984 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 

   <Ok, its looking better after the fwmark is processed>

Sep 22 11:20:02 gw2 kernel: PREROUTING - IN=eth2 OUT=
MAC=00:05:5d:64:9a:f2:00:00:77:92:56:92:08:00 SRC=216.239.39.99
DST=<eth2_ip> LEN=44 TOS=0x00 PREC=0x00 TTL=240 ID=16723 PROTO=TCP
SPT=80 DPT=37984 WINDOW=8190 RES=0x00 ACK SYN URGP=0

   <IP_CONNTRTACK detects SYN_RECV>

   <netstat detects SYN_SENT>

   <Kernel retries sending SYN until timeout>

   <So, it never reaches back up to the socket layer... I'm screwed>

 

 

 


[-- Attachment #2: Type: text/html, Size: 9201 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2003-09-22 19:15 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-22 19:15 [LARTC] Proxy Server Routing - One last try Daniel Chemko

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.