* fwmarks
@ 2003-03-01 20:44 Esteban
2003-03-01 22:00 ` fwmarks Joel Newkirk
2003-03-01 23:13 ` fwmarks Tomasz Wrona
0 siblings, 2 replies; 5+ messages in thread
From: Esteban @ 2003-03-01 20:44 UTC (permalink / raw)
To: netfilter
i ve got the clasic firewall for my internal network but inteades of one
internet gw ive got two.
(internel 172.0.0.0/24) eth0 -#linux box#-eth2 (first gw to internet)
#-ppp0 (second gw to internet)
i have a trnasparent squid and a nat rule to redirect ports..
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
then squid looks for the webpages on the two gateways (multipath).
now i would like to fwmark paquets generated by squid and thru a
routeing table route only www packages to the gw i want.
i tryed
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 2
and then
echo 201 www.out >> /etc/iproute2/rt_tables
ip rule add fwmark 2 table www.out
ip route add default gw via 1.1.1.1 dev ppp0
ip route flush cache
and does not work!.
if i create a rule like
ip rule add to 2.2.2.2 table www.out
ip route flush cache
that does work!..
i think the mangling is not okay..how do i mangle paquetes generated by
my own server? if anyone have some experience please help me!
thanks in advance
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: fwmarks
2003-03-01 20:44 fwmarks Esteban
@ 2003-03-01 22:00 ` Joel Newkirk
2003-03-01 23:13 ` fwmarks Tomasz Wrona
1 sibling, 0 replies; 5+ messages in thread
From: Joel Newkirk @ 2003-03-01 22:00 UTC (permalink / raw)
To: Esteban, netfilter
On Saturday 01 March 2003 03:44 pm, Esteban wrote:
> i have a trnasparent squid and a nat rule to redirect ports..
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
> --to-port 3128
>
> then squid looks for the webpages on the two gateways (multipath).
> now i would like to fwmark paquets generated by squid and thru a
> routeing table route only www packages to the gw i want.
>
> i tryed
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark
> 2
If the traffic is coming from (IE squid is running on) the firewall box
itself then outbound traffic from squid never goes through PREROUTING.
Try:
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 2
instead.
j
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: fwmarks
2003-03-01 20:44 fwmarks Esteban
2003-03-01 22:00 ` fwmarks Joel Newkirk
@ 2003-03-01 23:13 ` Tomasz Wrona
2003-03-02 0:00 ` fwmarks Esteban
1 sibling, 1 reply; 5+ messages in thread
From: Tomasz Wrona @ 2003-03-01 23:13 UTC (permalink / raw)
To: Esteban; +Cc: netfilter
On 1 Mar 2003, Esteban wrote:
> and then
> echo 201 www.out >> /etc/iproute2/rt_tables
> ip rule add fwmark 2 table www.out
> ip route add default gw via 1.1.1.1 dev ppp0
> ip route flush cache
>
> and does not work!.
> if i create a rule like
> ip rule add to 2.2.2.2 table www.out
> ip route flush cache
>
> that does work!..
Set [I guess location but key is to turn of rpfilter when using
policyrouting via fwmark]:
echo "0" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
Regards
tw
--
----------------
ck.eter.tym.pl
"Never let shooling disturb Your education"
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: fwmarks
2003-03-01 23:13 ` fwmarks Tomasz Wrona
@ 2003-03-02 0:00 ` Esteban
0 siblings, 0 replies; 5+ messages in thread
From: Esteban @ 2003-03-02 0:00 UTC (permalink / raw)
To: Tomasz Wrona; +Cc: netfilter
ive tryed and so on..
root@debian:~# find /proc/ -type f -iname "rp_filter" -exec cat {} \;
0
0
0
0
0
root@debian:
it doesnt work!..
i see the accounting of paquets in iptables, so marking is working..
root@debian:~# ip route ls
172.0.0.0/24 dev eth0 proto kernel scope link src 172.0.0.82
172.0.0.0/24 dev eth1 proto kernel scope link src 172.0.0.81
default via 172.0.0.1 dev eth0
but they keep on using the default route! (eth0) and not eth1!
root@debian:~# ip rule ls
0: from all lookup local
32761: from all fwmark 2 lookup eth1
32762: from all fwmark 2 lookup eth1
32763: from all fwmark d lookup eth1
32764: from all fwmark 13 lookup eth1
32765: from all to 198.133.219.25 lookup eth1
32766: from all lookup main
32767: from all lookup default
root@debian:~#
root@debian:~# ip route ls table eth1
172.0.0.1 dev eth1 scope link src 172.0.0.81
default via 172.0.0.1 dev eth1 src 172.0.0.81
root@debian:~#
root@debian:~# iptables -t mangle -L -n -v
Chain PREROUTING (policy ACCEPT 11811 packets, 5080K bytes)
pkts bytes target prot opt in out source
destination
Chain INPUT (policy ACCEPT 10043 packets, 4859K bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 8362 packets, 1812K bytes)
pkts bytes target prot opt in out source
destination
120 6287 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 MARK set 0x2
261 12430 MARK tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:110 MARK set 0xd
Chain POSTROUTING (policy ACCEPT 8542 packets, 1832K bytes)
pkts bytes target prot opt in out source
destination
root@debian:~#
thanks for helping me!! any idea??
On Sat, 2003-03-01 at 20:13, Tomasz Wrona wrote:
> On 1 Mar 2003, Esteban wrote:
>
> > and then
> > echo 201 www.out >> /etc/iproute2/rt_tables
> > ip rule add fwmark 2 table www.out
> > ip route add default gw via 1.1.1.1 dev ppp0
> > ip route flush cache
> >
> > and does not work!.
> > if i create a rule like
> > ip rule add to 2.2.2.2 table www.out
> > ip route flush cache
> >
> > that does work!..
>
> Set [I guess location but key is to turn of rpfilter when using
> policyrouting via fwmark]:
> echo "0" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
>
> Regards
> tw
> --
>
> ----------------
> ck.eter.tym.pl
>
> "Never let shooling disturb Your education"
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: fwmarks
@ 2003-03-02 21:30 eribicic
0 siblings, 0 replies; 5+ messages in thread
From: eribicic @ 2003-03-02 21:30 UTC (permalink / raw)
To: lartc, netfilter
Thanks Thomas, it really help your commnent..still doesnt work :( but i think where the problem is..but i couldnt workit out.
i wanted to the where to things:
1) make transparent squid paquets (which i asume they are generated in the linux box) being routed to the gw i choose. it seems that as i have only one deafault gw, when squid generate the paquets it takes that address as src address and thats why, even i fwmark rules and stuff, that doesnt work..
2) make internal network paquets (wich are mascararaded throght my default gw) -remember even when i have two gateway i only masquerde paquts through one of them- use the another interface, thats why i do fwmark on prerouting and now (thanks thomas) it works, but as masquerading is not appyled (i dont know why!) paquets only go, but never come back..
any sugestion?
thank you really much!!!!!!
help needed!
all conf and stuff is in: http://www.dejawu.com.ar/net.html
> > and then
> > echo 201 www.out >> /etc/iproute2/rt_tables
> > ip rule add fwmark 2 table www.out
> > ip route add default gw via 1.1.1.1 dev ppp0
> > ip route flush cache
> >
> > and does not work!.
> > if i create a rule like
> > ip rule add to 2.2.2.2 table www.out
> > ip route flush cache
> >
> > that does work!..
>
> Set [I guess location but key is to turn of rpfilter when using
> policyrouting via fwmark]:
> echo "0" > /proc/sys/net/ipv4/conf/ppp0/rp_filter
>
> Regards
> tw
> --
>
> ----------------
> ck.eter.tym.pl
>
> "Never let shooling disturb Your education"
>
>
--
Slds.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2003-03-02 21:30 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-03-01 20:44 fwmarks Esteban
2003-03-01 22:00 ` fwmarks Joel Newkirk
2003-03-01 23:13 ` fwmarks Tomasz Wrona
2003-03-02 0:00 ` fwmarks Esteban
-- strict thread matches above, loose matches on Subject: below --
2003-03-02 21:30 fwmarks eribicic
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox