* [LARTC] routing oddity, help?
@ 2003-08-22 14:19 Philip Champon
2003-08-24 23:55 ` Damion de Soto
0 siblings, 1 reply; 2+ messages in thread
From: Philip Champon @ 2003-08-22 14:19 UTC (permalink / raw)
To: lartc
(sorry if this double posts, my from: was wrong)
Hello,
I am trying to use iptables/iproute2 to get around assigning IP addresses.
I have two machines I am trying this with, machine A is LVS running keepalived,
using firewall marks to route to virtual servers. Machine B is an stunnel
machine de-ssling port 443 requests sent to machine A.
The steps I have taken:
all options for iptables are on, LVS is patched in, advanced routing options
are on. all pertinent options for routing using fwmarks are on too.
Machine A
iptables -A PREROUTING -t mangle -j MARK -p tcp --dport 80 --set-mark 0x1
iptables -A PREROUTING -t mangle -j MARK -p tcp --dport 443 --set-mark 0x2
ip rule add prio 100 fwmark 1 table 100
ip route add local 0/0 dev lo table 100
ip rule add prio 200 fwmark 2 table 200
ip route add 0/0 via B table 200
Machine B
iptables -A PREROUTING -t mangle -j MARK -p tcp --dport 443 --set-mark 0x1
ip rule add prio 100 fwmark 1 table 100
ip route add local 0/0 dev lo table 100
Issuing these commands on machine A, packets move as I expect them to. However,
on machine B, using tcpdump I see packets come in on port 443, but I never see
machine B respond or send an ICMP error.
Can someone please tell me why this is happening? At this point, it seems like
either the keyword local is reserved for use in the local table and or
keepalived is doing some magic... ???
--
Philip Champon Affinity Developer
Ph - 954-334-8156
Em - pchampon@gonk.valueweb.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] routing oddity, help?
2003-08-22 14:19 [LARTC] routing oddity, help? Philip Champon
@ 2003-08-24 23:55 ` Damion de Soto
0 siblings, 0 replies; 2+ messages in thread
From: Damion de Soto @ 2003-08-24 23:55 UTC (permalink / raw)
To: lartc
Philip Champon wrote:
>
> Machine B
> iptables -A PREROUTING -t mangle -j MARK -p tcp --dport 443 --set-mark 0x1
> ip rule add prio 100 fwmark 1 table 100
> ip route add local 0/0 dev lo table 100
>
> Issuing these commands on machine A, packets move as I expect them to. However,
> on machine B, using tcpdump I see packets come in on port 443, but I never see
> machine B respond or send an ICMP error.
I never tried anything like this before, and don't really understand what you're
doing, but taking a guess:
aren't you directing the incoming port 443 packets to the loopback device routing table ?
so then they're never going to do anything useful, unless your application is
specificaly listening on 127.0.0.1 ?
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Damion de Soto - Software Engineer email: damion@snapgear.com
SnapGear --- ph: +61 7 3435 2809
| Custom Embedded Solutions fax: +61 7 3891 3630
| and Security Appliances web: http://www.snapgear.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-08-24 23:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-22 14:19 [LARTC] routing oddity, help? Philip Champon
2003-08-24 23:55 ` Damion de Soto
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox