From: Thomas Themel <themel@iwoars.net>
To: lartc@vger.kernel.org
Subject: [LARTC] fwmark routing of locally generated packets
Date: Tue, 28 Oct 2003 00:32:09 +0000 [thread overview]
Message-ID: <marc-lartc-106730159403106@msgid-missing> (raw)
[-- Attachment #1: Type: text/plain, Size: 3970 bytes --]
Hi,
I'm currently trying to get a Linux machine to route all traffic coming
from a certain UID over a dedicated PPP interface. After going throught
the available documentation and experimenting a bit, I settled for the
following attempt:
# 62.46.87.104 - local PPP address
# 195.4.91.104 - PPP peer
ip route add 195.3.91.104 dev ppp0 src 62.46.87.104 table special
# local for DNS etc
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table special
ip route add default via 195.3.91.104 src 62.46.87.104 table special
ip rule add fwmark 3 lookup special
iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK --set-mark 3
ip route flush cache
This seems to work in a way. It correctly sends the packets generated by
that user out the ppp0 interface, but they don't get the correct source
address:
| sophokles:~# sh -x description.txt
| + ip route flush table aonc
| + ip route add 195.3.91.103 dev ppp0 src 62.46.86.137 table aonc
| + ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table aonc
| + ip route add default via 195.3.91.103 src 62.46.86.137 table aonc
| + ip rule add fwmark 3 lookup aonc
| + iptables -t mangle -A OUTPUT -m owner --uid-owner freenet -j MARK
| --set-mark 3
| + ip route flush cache
| sophokles:~# tcpdump -ni ppp0 port 22 &
| [1] 841
| sophokles:~# tcpdump: listening on ppp0
|
| sophokles:~# nc iwoars.net 22
| SSH-1.99-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
|
| sophokles:~# su - freenet
| freenet@sophokles:~$ nc iwoars.net 22
| 01:25:17.044883 192.168.1.1.32848 > 217.160.110.113.22: SWE
| 1344336467:1344336467(0) win 5840 <mss 1460,sackOK,timestamp 2056533
| 0,nop,wscale 0> (DF)
| 01:25:20.043828 192.168.1.1.32848 > 217.160.110.113.22: SWE
| 1344336467:1344336467(0) win 5840 <mss 1460,sackOK,timestamp 2059533
| 0,nop,wscale 0> (DF)
| 01:25:26.042584 192.168.1.1.32848 > 217.160.110.113.22: SWE
| 1344336467:1344336467(0) win 5840 <mss 1460,sackOK,timestamp 2065533
| 0,nop,wscale 0> (DF)
|
| freenet@sophokles:~$
I've read on this list that owner-based policy routing is impossible
because the routing decision is made before the packet traverses the
OUTPUT chain. However, if this is true, then I don't understand how the
packet can go out via the correct interface unless there are separate
route lookups to determine the source address and outgoing interface.
Could someone who knows please elaborate?
I have also tried, unsuccessfully, to just mangle the source address
using an iptables SNAT rule, but even though that produces correct
network traffic, it seems to break something internally that keeps the
TCP handshake from completing:
| sophokles:~# iptables -t nat -A POSTROUTING -j SNAT -o ppp0 --to-source
| 62.46.86.137
| sophokles:~# su - freenet
| freenet@sophokles:~$ nc iwoars.net 22
| 01:30:16.448930 62.46.86.137.32849 > 217.160.110.113.22: SWE
| 1656968486:1656968486(0) win 5840 <mss 1460,sackOK,timestamp 2356000
| 0,nop,wscale 0> (DF)
| 01:30:16.516732 217.160.110.113.22 > 62.46.86.137.32849: S
| 2293250552:2293250552(0) ack 1656968487 win 32120 <mss
| 1460,sackOK,timestamp 313375234 2356000,nop,wscale 0> (DF)
| 01:30:19.448146 62.46.86.137.32849 > 217.160.110.113.22: SWE
| 1656968486:1656968486(0) win 5840 <mss 1460,sackOK,timestamp 2359000
| 0,nop,wscale 0> (DF)
| 01:30:19.518099 217.160.110.113.22 > 62.46.86.137.32849: S
| 2293250552:2293250552(0) ack 1656968487 win 32120 <mss
| 1460,sackOK,timestamp 313375535 2356000,nop,wscale 0> (DF)
| 01:30:19.823023 217.160.110.113.22 > 62.46.86.137.32849: S
| 2293250552:2293250552(0) ack 1656968487 win 32120 <mss
| 1460,sackOK,timestamp 313375566 2356000,nop,wscale 0> (DF)
| [...]
ciao,
--
[*Thomas Themel*] Since you obviously haven't lurked enough,
[extended contact] we subtly tell lusers to piss off via the words "piss
[info provided in] off, luser".
[*message header*] - David P. Murphy in the monastery
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
next reply other threads:[~2003-10-28 0:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-28 0:32 Thomas Themel [this message]
2003-10-28 16:20 ` [LARTC] fwmark routing of locally generated packets Thomas Themel
2003-11-01 4:37 ` Brad Barnett
2003-11-01 10:39 ` Thomas Themel
2003-11-04 10:26 ` Thomas Themel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=marc-lartc-106730159403106@msgid-missing \
--to=themel@iwoars.net \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.