Newbie Q: Forcing p2p traffic via one interface on a dual homed system.

Newbie Q: Forcing p2p traffic via one interface on a dual homed system.

[hArTh0 hArTh0]

Hi all,

My first post to this group and be warned I am a new linux user ;)

My setup:

-----ISP1---ppp0----Router-----MainPC
-----ISP2---ppp1-------|

Router ip: 192.168.0.1
MainPC ip: 192.168.0.10
ppp0: 165.165.89.171
ppp1: 165.146.132.124

What I want to achieve is that all p2p traffic passes through ppp1
while everthing else goes through ppp0.

My approach to date: Use http://www.ipp2p.org to mark all p2p packets
and then attempt to use this mark to get these packets to leave via
ppp1.

The following are various command outputs that will serve to
illustrate my setup:

_____________________
server1:~# iptables-save
# Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
*mangle
:PREROUTING ACCEPT [64427:8068188]
:INPUT ACCEPT [46992:3648957]
:FORWARD ACCEPT [17435:4419231]
:OUTPUT ACCEPT [60089:8019620]
:POSTROUTING ACCEPT [77524:12438851]
-A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 0x9
-A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j RETURN
COMMIT
# Completed on Sun Nov 28 22:17:39 2004
# Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
*filter
:INPUT ACCEPT [46992:3648957]
:FORWARD ACCEPT [17404:4417743]
:OUTPUT ACCEPT [60089:8019620]
-A INPUT -d 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 192.168.0.0/255.255.255.0 -i ppp+ -j REJECT --reject-with
icmp-port-unreachable
COMMIT
# Completed on Sun Nov 28 22:17:39 2004
# Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
*nat
:PREROUTING ACCEPT [12719:748368]
:POSTROUTING ACCEPT [17:820]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o ppp+ -p tcp -m mark --mark 0x9 -j SNAT --to-source
165.146.132.124
-A POSTROUTING -o ppp+ -p tcp -m mark --mark 0x9 -j RETURN
-A POSTROUTING -o ppp+ -j MASQUERADE
COMMIT
# Completed on Sun Nov 28 22:17:39 2004
server1:~#

______________________

server1:~# ip route show
165.165.88.1 dev ppp0  scope link  src 165.165.89.171
165.146.128.1 dev ppp1  scope link  src 165.146.132.124
192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
default via 165.165.88.1 dev ppp0
server1:~#

______________________
server1:~# ip route show table T1
165.165.88.1 dev ppp0  scope link  src 165.165.89.171
165.146.128.1 dev ppp1  scope link
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 165.165.88.1 dev ppp0
server1:~#
______________________
server1:~# ip route show table T2
165.165.88.1 dev ppp0  scope link
165.146.128.1 dev ppp1  scope link  src 165.146.132.124
192.168.0.0/24 dev eth0  scope link
127.0.0.0/8 dev lo  scope link
default via 165.146.128.1 dev ppp1
server1:~#
______________________
server1:~# ip route show table uncapped-packets
default via 165.146.128.1 dev ppp1
server1:~#
______________________
server1:~# ip rule list
0:      from all lookup local
32763:  from all fwmark 0x9 lookup uncapped-packets
32764:  from 165.146.132.124 lookup T2
32765:  from 165.165.89.171 lookup T1
32766:  from all lookup main
32767:  from all lookup default
server1:~#
______________________

server1:~# iptables -nvxL -t mangle
Chain PREROUTING (policy ACCEPT 66921 packets, 8298186 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination
      26     3484 MARK       tcp  --  eth0   *       192.168.0.10     
   0.0.0.0/0           ipp2p v0.6 --ipp2p MARK set 0x9
      26     3484 RETURN     tcp  --  eth0   *       192.168.0.10     
   0.0.0.0/0           ipp2p v0.6 --ipp2p

Chain INPUT (policy ACCEPT 48501 packets, 3776823 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

Chain FORWARD (policy ACCEPT 18420 packets, 4521363 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

Chain OUTPUT (policy ACCEPT 62452 packets, 8269734 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

Chain POSTROUTING (policy ACCEPT 80872 packets, 12791097 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

______________________
server1:~# iptables -nvxL -t nat
Chain PREROUTING (policy ACCEPT 12790 packets, 752139 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination

Chain POSTROUTING (policy ACCEPT 17 packets, 820 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination
       0        0 SNAT       tcp  --  *      ppp+    0.0.0.0/0        
   0.0.0.0/0           MARK match 0x9 to:165.146.132.124
       0        0 RETURN     tcp  --  *      ppp+    0.0.0.0/0        
   0.0.0.0/0           MARK match 0x9
      15      742 MASQUERADE  all  --  *      ppp+    0.0.0.0/0       
    0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source         
     destination
______________________


Wow ... lots of text :)

As you can see the p2p marking rule in PREROUTING in the mangle table
is getting a healthy 26 hits. However the corresponding SNAT rule in
POSTROUTING in the nat table isnt getting any hits at all.

Basically I'm trying to use the SNAT option to force the origen of the
p2p packets that leave ppp1 to 165.146.132.124 (so that replies to
these packets will return via ppp1).

However this isnt happening. When i do a tcpdump on **ppp1**, while
running a typical p2p app on 192.168.0.10, I see stuff like:

_________________________________
tcpdump: listening on ppp1
22:26:34.153756 165.165.89.171.4056 > 165.165.91.116.10928: P
537928851:537928945(94) ack 11937669 win 17280 (DF)
22:26:37.344977 165.165.89.171.4058 > 165.165.40.174.telnet: P
1747084171:1747084265(94) ack 1890859306 win 17424 (DF)
22:26:38.301762 165.165.89.171.4059 > 165.146.193.231.1412: P
943672931:943673025(94) ack 3291345941 win 17424 (DF)
22:26:40.273324 165.165.89.171.4058 > 165.165.40.174.telnet: P
0:94(94) ack 1 win 17424 (DF)
22:26:40.762411 165.165.89.171.4061 > 165.165.89.216.7881: P
2894668549:2894668643(94) ack 1789638145 win 17280 (DF)
22:26:41.066069 165.165.89.171.4060 > 165.165.81.109.35: P
3752551725:3752551819(94) ack 3830356900 win 17280 (DF)
22:26:41.081728 165.165.89.171.4062 > 165.165.48.176.35791: P
2763489211:2763489305(94) ack 3560648028 win 17280 (DF)
22:26:41.276546 165.165.89.171.4059 > 165.146.193.231.1412: P 0:94(94)
ack 1 win 17424 (DF)
_______________________________-

It seems to me that the packets leaving ppp1 are still showing the
165.165.89.171 origen address of ppp0 rather than the origin address
of ppp1 (i.e. 165.146.132.124).

To test that the initial marking is working, I have disabled:
-A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j MARK
--set-mark 0x9
-A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j RETURN

In which case I see no traffic on ppp1 at all.

So it seems as if the initial marking and diversion of packets to ppp1 works.

It's just that trying to force the origin of the packets leaving ppp1
to ppp1's IP via SNAT isnt working.

Advice please???

Thanks,
H

Re: Newbie Q: Forcing p2p traffic via one interface on a dual homed system.

[George Alexandru Dragoi]

The nat mechanism works for initiated connections. The p2p packets are
detected later in connections, so they wont even hit nat POSTROUTING.
Also, to match the entire traffic, you need connmark.

On Sun, 28 Nov 2004 22:38:07 +0200, hArTh0 hArTh0 <harth0@gmail.com> wrote:
> Hi all,
> 
> My first post to this group and be warned I am a new linux user ;)
> 
> My setup:
> 
> -----ISP1---ppp0----Router-----MainPC
> -----ISP2---ppp1-------|
> 
> Router ip: 192.168.0.1
> MainPC ip: 192.168.0.10
> ppp0: 165.165.89.171
> ppp1: 165.146.132.124
> 
> What I want to achieve is that all p2p traffic passes through ppp1
> while everthing else goes through ppp0.
> 
> My approach to date: Use http://www.ipp2p.org to mark all p2p packets
> and then attempt to use this mark to get these packets to leave via
> ppp1.
> 
> The following are various command outputs that will serve to
> illustrate my setup:
> 
> _____________________
> server1:~# iptables-save
> # Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
> *mangle
> :PREROUTING ACCEPT [64427:8068188]
> :INPUT ACCEPT [46992:3648957]
> :FORWARD ACCEPT [17435:4419231]
> :OUTPUT ACCEPT [60089:8019620]
> :POSTROUTING ACCEPT [77524:12438851]
> -A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j MARK
> --set-mark 0x9
> -A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j RETURN
> COMMIT
> # Completed on Sun Nov 28 22:17:39 2004
> # Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
> *filter
> :INPUT ACCEPT [46992:3648957]
> :FORWARD ACCEPT [17404:4417743]
> :OUTPUT ACCEPT [60089:8019620]
> -A INPUT -d 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
> -A INPUT -s 192.168.0.0/255.255.255.0 -i ppp+ -j REJECT --reject-with
> icmp-port-unreachable
> COMMIT
> # Completed on Sun Nov 28 22:17:39 2004
> # Generated by iptables-save v1.2.11 on Sun Nov 28 22:17:39 2004
> *nat
> :PREROUTING ACCEPT [12719:748368]
> :POSTROUTING ACCEPT [17:820]
> :OUTPUT ACCEPT [0:0]
> -A POSTROUTING -o ppp+ -p tcp -m mark --mark 0x9 -j SNAT --to-source
> 165.146.132.124
> -A POSTROUTING -o ppp+ -p tcp -m mark --mark 0x9 -j RETURN
> -A POSTROUTING -o ppp+ -j MASQUERADE
> COMMIT
> # Completed on Sun Nov 28 22:17:39 2004
> server1:~#
> 
> ______________________
> 
> server1:~# ip route show
> 165.165.88.1 dev ppp0  scope link  src 165.165.89.171
> 165.146.128.1 dev ppp1  scope link  src 165.146.132.124
> 192.168.0.0/24 dev eth0  proto kernel  scope link  src 192.168.0.1
> default via 165.165.88.1 dev ppp0
> server1:~#
> 
> ______________________
> server1:~# ip route show table T1
> 165.165.88.1 dev ppp0  scope link  src 165.165.89.171
> 165.146.128.1 dev ppp1  scope link
> 192.168.0.0/24 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 165.165.88.1 dev ppp0
> server1:~#
> ______________________
> server1:~# ip route show table T2
> 165.165.88.1 dev ppp0  scope link
> 165.146.128.1 dev ppp1  scope link  src 165.146.132.124
> 192.168.0.0/24 dev eth0  scope link
> 127.0.0.0/8 dev lo  scope link
> default via 165.146.128.1 dev ppp1
> server1:~#
> ______________________
> server1:~# ip route show table uncapped-packets
> default via 165.146.128.1 dev ppp1
> server1:~#
> ______________________
> server1:~# ip rule list
> 0:      from all lookup local
> 32763:  from all fwmark 0x9 lookup uncapped-packets
> 32764:  from 165.146.132.124 lookup T2
> 32765:  from 165.165.89.171 lookup T1
> 32766:  from all lookup main
> 32767:  from all lookup default
> server1:~#
> ______________________
> 
> server1:~# iptables -nvxL -t mangle
> Chain PREROUTING (policy ACCEPT 66921 packets, 8298186 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
>       26     3484 MARK       tcp  --  eth0   *       192.168.0.10
>    0.0.0.0/0           ipp2p v0.6 --ipp2p MARK set 0x9
>       26     3484 RETURN     tcp  --  eth0   *       192.168.0.10
>    0.0.0.0/0           ipp2p v0.6 --ipp2p
> 
> Chain INPUT (policy ACCEPT 48501 packets, 3776823 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
> 
> Chain FORWARD (policy ACCEPT 18420 packets, 4521363 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
> 
> Chain OUTPUT (policy ACCEPT 62452 packets, 8269734 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
> 
> Chain POSTROUTING (policy ACCEPT 80872 packets, 12791097 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
> 
> ______________________
> server1:~# iptables -nvxL -t nat
> Chain PREROUTING (policy ACCEPT 12790 packets, 752139 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
> 
> Chain POSTROUTING (policy ACCEPT 17 packets, 820 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
>        0        0 SNAT       tcp  --  *      ppp+    0.0.0.0/0
>    0.0.0.0/0           MARK match 0x9 to:165.146.132.124
>        0        0 RETURN     tcp  --  *      ppp+    0.0.0.0/0
>    0.0.0.0/0           MARK match 0x9
>       15      742 MASQUERADE  all  --  *      ppp+    0.0.0.0/0
>     0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>     pkts      bytes target     prot opt in     out     source
>      destination
> ______________________
> 
> Wow ... lots of text :)
> 
> As you can see the p2p marking rule in PREROUTING in the mangle table
> is getting a healthy 26 hits. However the corresponding SNAT rule in
> POSTROUTING in the nat table isnt getting any hits at all.
> 
> Basically I'm trying to use the SNAT option to force the origen of the
> p2p packets that leave ppp1 to 165.146.132.124 (so that replies to
> these packets will return via ppp1).
> 
> However this isnt happening. When i do a tcpdump on **ppp1**, while
> running a typical p2p app on 192.168.0.10, I see stuff like:
> 
> _________________________________
> tcpdump: listening on ppp1
> 22:26:34.153756 165.165.89.171.4056 > 165.165.91.116.10928: P
> 537928851:537928945(94) ack 11937669 win 17280 (DF)
> 22:26:37.344977 165.165.89.171.4058 > 165.165.40.174.telnet: P
> 1747084171:1747084265(94) ack 1890859306 win 17424 (DF)
> 22:26:38.301762 165.165.89.171.4059 > 165.146.193.231.1412: P
> 943672931:943673025(94) ack 3291345941 win 17424 (DF)
> 22:26:40.273324 165.165.89.171.4058 > 165.165.40.174.telnet: P
> 0:94(94) ack 1 win 17424 (DF)
> 22:26:40.762411 165.165.89.171.4061 > 165.165.89.216.7881: P
> 2894668549:2894668643(94) ack 1789638145 win 17280 (DF)
> 22:26:41.066069 165.165.89.171.4060 > 165.165.81.109.35: P
> 3752551725:3752551819(94) ack 3830356900 win 17280 (DF)
> 22:26:41.081728 165.165.89.171.4062 > 165.165.48.176.35791: P
> 2763489211:2763489305(94) ack 3560648028 win 17280 (DF)
> 22:26:41.276546 165.165.89.171.4059 > 165.146.193.231.1412: P 0:94(94)
> ack 1 win 17424 (DF)
> _______________________________-
> 
> It seems to me that the packets leaving ppp1 are still showing the
> 165.165.89.171 origen address of ppp0 rather than the origin address
> of ppp1 (i.e. 165.146.132.124).
> 
> To test that the initial marking is working, I have disabled:
> -A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j MARK
> --set-mark 0x9
> -A PREROUTING -s 192.168.0.10 -i eth0 -p tcp -m ipp2p --ipp2p -j RETURN
> 
> In which case I see no traffic on ppp1 at all.
> 
> So it seems as if the initial marking and diversion of packets to ppp1 works.
> 
> It's just that trying to force the origin of the packets leaving ppp1
> to ppp1's IP via SNAT isnt working.
> 
> Advice please???
> 
> Thanks,
> H
> 
> 


-- 
Bla bla

Re: Newbie Q: Forcing p2p traffic via one interface on a dual homed system.

[Jason Opperisano]

On Sun, 2004-11-28 at 15:38, hArTh0 hArTh0 wrote:
> Hi all,
> 
> My first post to this group and be warned I am a new linux user ;)
> 
> My setup:
> 
> -----ISP1---ppp0----Router-----MainPC
> -----ISP2---ppp1-------|
> 
> Router ip: 192.168.0.1
> MainPC ip: 192.168.0.10
> ppp0: 165.165.89.171
> ppp1: 165.146.132.124
> 
> What I want to achieve is that all p2p traffic passes through ppp1
> while everthing else goes through ppp0.
> 
> My approach to date: Use http://www.ipp2p.org to mark all p2p packets
> and then attempt to use this mark to get these packets to leave via
> ppp1.

your question sounds just like:

  http://marc.theaimsgroup.com/?l=netfilter&m=109853391328421&w=2

answer is still the same:

  http://marc.theaimsgroup.com/?l=netfilter&m=109866874632386&w=2

-j

--
"Me lose brain? Uh, oh! Ha ha ha! Why I laugh?"
	--The Simpsons

Fwd: Newbie Q: Forcing p2p traffic via one interface on a dual homed system.

[hArTh0 hArTh0]

---------- Forwarded message ----------
From: hArTh0 hArTh0 <harth0@gmail.com>
Date: Mon, 29 Nov 2004 11:05:32 +0200
Subject: Re: Newbie Q: Forcing p2p traffic via one interface on a dual
homed system.
To: Jason Opperisano <opie@817west.com>


Hmmm I see what you mean.

I guess the ipp2p module is normally used to prioritise traffic rather
than re-route it.

Could some one suggest an appropriate general strategy that I could
use solve my original problem i.e. selectively force p2p traffic to
traverse ppp1?

Regards,


H

On Sun, 28 Nov 2004 20:33:46 -0500, Jason Opperisano <opie@817west.com> wrote:
> On Sun, 2004-11-28 at 15:38, hArTh0 hArTh0 wrote:
>
>
> > Hi all,
> >
> > My first post to this group and be warned I am a new linux user ;)
> >
> > My setup:
> >
> > -----ISP1---ppp0----Router-----MainPC
> > -----ISP2---ppp1-------|
> >
> > Router ip: 192.168.0.1
> > MainPC ip: 192.168.0.10
> > ppp0: 165.165.89.171
> > ppp1: 165.146.132.124
> >
> > What I want to achieve is that all p2p traffic passes through ppp1
> > while everthing else goes through ppp0.
> >
> > My approach to date: Use http://www.ipp2p.org to mark all p2p packets
> > and then attempt to use this mark to get these packets to leave via
> > ppp1.
>
> your question sounds just like:
>
>   http://marc.theaimsgroup.com/?l=netfilter&m=109853391328421&w=2
>
> answer is still the same:
>
>   http://marc.theaimsgroup.com/?l=netfilter&m=109866874632386&w=2
>
> -j
>
> --
> "Me lose brain? Uh, oh! Ha ha ha! Why I laugh?"
>         --The Simpsons
>
>

Re: Fwd: Newbie Q: Forcing p2p traffic via one interface on a dual homed system.

[Jason Opperisano]

On Mon, 2004-11-29 at 04:15, hArTh0 hArTh0 wrote:
> Hmmm I see what you mean.
> 
> I guess the ipp2p module is normally used to prioritise traffic rather
> than re-route it.
> 
> Could some one suggest an appropriate general strategy that I could
> use solve my original problem i.e. selectively force p2p traffic to
> traverse ppp1?

how about forcing all easily identifiable traffic over ppp0 and send
everything else (which should be p2p) over ppp1?

-j

--
"I've always wondered if there was a god. And now I know there is --
 and it's me."
	--The Simpsons