Re: still can't route using fwmark

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Thomas Jacob <jacob@internet24.de>
To: Lloyd Standish <lloyd@crnatural.net>
Cc: "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Subject: Re: still can't route using fwmark
Date: Sat, 18 Apr 2009 10:23:15 +0200	[thread overview]
Message-ID: <20090418082314.GA12566@internet24.de> (raw)
In-Reply-To: <op.uskfabufx1lyi3@localhost>

On Fri, Apr 17, 2009 at 10:40:49PM -0600, Lloyd Standish wrote:
> Hello,
> 
> I am still having trouble doing load balancing over ppp0 and ppp1 for a Debian Etch PC (kernel 2.6.20.3, iptables 1.3.8).  I used patch-o-matic to update my kernel sources and recompiled the kernel, and compiled and installed iptables 1.3.8.  Also all the netfilter-related kernel configuration options I need are set, I believe.

Why the strange versions? There are neither the ones that comes with Etch nor
are they anything current? Anyway, Etch's stock kernel and iptables (2.6.18/v1.3.6 based)
are fine for what you want to do. 

You need the iptables (conn)marking stuff, and advanced router + policy/fw routing,
and that's all part of stock packages.

/boot/config-2.6.18-6-686

CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_MULTIPATH=y
# CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
CONFIG_IP_ROUTE_VERBOSE=y

dpkg -L iptables | grep -i mark
 /lib/iptables/libipt_connmark.so
 /lib/iptables/libipt_mark.so
 /lib/iptables/libipt_CONNMARK.so
 /lib/iptables/libipt_MARK.so
 /lib/iptables/libipt_SECMARK.so
 /lib/iptables/libipt_CONNSECMARK.so
 /lib/iptables/libip6t_connmark.so
 /lib/iptables/libip6t_mark.so
 /lib/iptables/libip6t_CONNMARK.so
 /lib/iptables/libip6t_MARK.so
 /lib/iptables/libip6t_SECMARK.so
 /lib/iptables/libip6t_CONNSECMARK.so

Here's what I used some time ago to do something similar (either with Etch
or maybe even Sarge), sending outgoing packets back to the router the
corresponding incoming packets of a connection came from, for a single machine.


#!/bin/sh

iptables=iptables


$iptables -t mangle -A INPUT -m mac --mac <ROUTERMAC1> -j CONNMARK --set-mark 1
$iptables -t mangle -A INPUT -m mac --mac <ROUTERMAC2> -j CONNMARK --set-mark 2


$iptables -t mangle -N TONET 
$iptables -t mangle -F TONET 
$iptables -t mangle -A OUTPUT -o <DEVICE> -d ! <LOCAL_NET> -j TONET

$iptables -t mangle -A TONET -m connmark ! --mark 0 -j CONNMARK --restore-mark


The route/rule stuff was more or less what you've got. If you want to
forward packets for other hosts, this need to go into PREROUTING of
course.

    Thomas

next prev parent reply	other threads:[~2009-04-18  8:23 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-04-18  4:40 still can't route using fwmark Lloyd Standish
2009-04-18  8:23 ` Thomas Jacob [this message]
2009-04-18 17:12   ` Lloyd Standish
2009-04-18 18:48     ` Thomas Jacob
2009-04-18 19:33       ` Lloyd Standish
2009-04-18 20:58         ` Thomas Jacob
2009-04-18 21:49           ` Lloyd Standish
2009-04-19  9:00             ` Thomas Jacob
2009-04-20  5:56               ` Lloyd Standish
2009-04-20  8:48                 ` Javier Gálvez Guerrero
2009-04-20 11:44                   ` Thomas Jacob
2009-04-20 13:08                     ` Javier Gálvez Guerrero
2009-04-20 13:37                       ` Thomas Jacob
2009-04-20 15:15                         ` Javier Gálvez Guerrero
2009-04-20 18:59                           ` Thomas Jacob
2009-04-22  9:53                             ` Javier Gálvez Guerrero
2009-04-22 10:01                               ` Thomas Jacob
2009-04-20 11:09                 ` Thomas Jacob
2009-04-20 12:25                   ` Brian Austin - Standard Universal
2009-04-20 15:38                   ` Lloyd Standish
2009-04-20 19:26                     ` Thomas Jacob
2009-04-21 19:54                       ` Lloyd Standish
2009-04-22  9:35                         ` Thomas Jacob
2009-04-22 15:03                           ` Lloyd Standish
2009-04-18 23:14           ` Lloyd Standish

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20090418082314.GA12566@internet24.de \
    --to=jacob@internet24.de \
    --cc=lloyd@crnatural.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox