port based routing for local generated connections

port based routing for local generated connections

[Jan Rathouský]

Hi everybody,
I'm looking for something that allows me routing based on destination
ports (for two OpenVPN tunnels).
First I found nice howto [1] but there is one problem – it works only
with LAN traffic and I want it for one computer with two ISPs. Because
router decision is done before writing marks for local generated
packets. So this howto is not for me :(
I was told that "iptables -j ROUTE" is what I'm looking for.
But I'm not able to compile POM with actual iptables version and my
Debian Squeeze kernel.
Than I found xtables-addon which is much more "fresh" than POM. But it
doesn't have support for ROUTE action.
Do you plan to add it to xtables-addon?
or
Do you know something else that can help me with this situation?

Thanks for answers and for your work.

Jan

PS: does anyone try to contact someone from netfilter team to add a
link to xtables-addon instead of POM? It's quite hard to find this
project.


[1] http://www.linuxhorizon.ro/iproute2.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

port based routing for local generated connections

[Jan Rathouský]

Hi everybody,
I'm looking for something that allows me routing based on destination
ports (for two OpenVPN tunnels).
First I found nice howto [1] but there is one problem – it works only
with LAN traffic and I want it for one computer with two ISPs. Because
router decision is done before writing marks for local generated
packets. So this howto is not for me :(
I was told that "iptables -j ROUTE" is what I'm looking for.
But I'm not able to compile POM with actual iptables version and my
Debian Squeeze kernel.
Than I found xtables-addon which is much more "fresh" than POM. But it
doesn't have support for ROUTE action.
Do you plan to add it to xtables-addon?
or
Do you know something else that can help me with this situation?

Thanks for answers and for your work.

Jan

PS: does anyone try to contact someone from netfilter team to add a
link to xtables-addon instead of POM? It's quite hard to find this
project.

[1] http://www.linuxhorizon.ro/iproute2.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: port based routing for local generated connections

[Jan Engelhardt]

On Sunday 2009-05-17 01:28, Jan Rathouský wrote:

>Hi everybody,
>I'm looking for something that allows me routing based on destination
>ports (for two OpenVPN tunnels).
>First I found nice howto [1] but there is one problem – it works only
>with LAN traffic and I want it for one computer with two ISPs. Because
>router decision is done before writing marks for local generated
>packets.

It also applies to local traffic. The packet will be re-evaluated by 
routing if it changed its mark in the OUTPUT chain.

>I was told that "iptables -j ROUTE" is what I'm looking for.

Nope, that is obsoleted by iproute2.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: port based routing for local generated connections

[Jan Rathouský]

2009/5/17 Jan Engelhardt <jengelh@medozas.de>:
>It also applies to local traffic. The packet will be re-evaluated by
>routing if it changed its mark in the OUTPUT chain.

It doesn't work.

debian:/home/houska# iptables -A OUTPUT -t mangle -p tcp --dport 60353
-j MARK --set-mark 100
debian:/home/houska# iptables -A OUTPUT -t mangle -p tcp --dport 60354
-j MARK --set-mark 100
debian:/home/houska# ip route add default via 10.6.6.6 dev ppp0 table cdma
debian:/home/houska# ip rule add from all fwmark 100 table cdma
debian:/home/houska#
debian:/home/houska# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

...

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
MARK       tcp  --  anywhere             anywhere            tcp
dpt:60353 MARK xset 0x64/0xffffffff
MARK       tcp  --  anywhere             anywhere            tcp
dpt:60354 MARK xset 0x64/0xffffffff

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
debian:/home/houska#
debian:/home/houska# ip route ls table cdma
default via 10.6.6.6 dev ppp0
debian:/home/houska#
debian:/home/houska# ip route ls
10.160.3.42 dev ppp0  proto kernel  scope link  src 10.162.62.199
debian:/home/houska#
debian:/home/houska# ip rule ls
0:      from all lookup local
32765:  from all fwmark 0x64 lookup cdma
32766:  from all lookup main
32767:  from all lookup default
debian:/home/houska#
debian:/home/houska# tcptraceroute ip.add.re.ss 60353
connect: Network is unreachable
debian:/home/houska# tcptraceroute ip.add.re.ss 60354
connect: Network is unreachable
debian:/home/houska#

:(
Same problem is with OpenVPN. What am I doing wrong?

Thanks
Jan
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html