How to masquerade when using ROUTE

How to masquerade when using ROUTE

[Fabian Wolter]

Hi,

I want to route all outgoing port-25-traffic produced by the clients
over ppp1. The rest schould take the default route over ppp0.

I used the following command:

iptables -A PREROUTING -p tcp --dport 25 -t mangle -i eth0 -j ROUTE
--oif ppp1

But the source addresses of the packets are wrong as "tcpdump -ni ppp1"
shows:

01:20:24.422756 IP 192.168.0.4.32825 > 160.45.10.13.25: S
2020082843:2020082843(0) win 5840 <mss 1460,sackOK,timestamp 266850[|tcp]>

192.168.0.4 is the IP adress of the client which tried to connect to the
mailserver 160.45.10.13.25.

Masquarding is done to 192.168.0.0/24:

# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.0.0/24       anywhere

My default route is set to ppp0.

So, how can I replace/masquerade the 192.168.0.4 by the official IP
address of ppp1?

Regards,
Fabian

Re: How to masquerade when using ROUTE

[Glaucius Djalma Pereira Junior]

take a look in  iproute2,

lartc.org  , using  iptables and iproute to do it 

1) create an entry in /etc/iproute2/rt_tables

echo "200            fabian

2) create the route default to route fabian
ip route add default via x.x.x.x dev ethX table fabian

3) create the rules 

iptables -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 3

4) routing the packets 

ip rule add from fwmark 3 lookup fabian prio 1


be happy 



On 5/7/05, Fabian Wolter <netfilter-ml@fabian-wolter.de> wrote:
> Hi,
> 
> I want to route all outgoing port-25-traffic produced by the clients
> over ppp1. The rest schould take the default route over ppp0.
> 
> I used the following command:
> 
> iptables -A PREROUTING -p tcp --dport 25 -t mangle -i eth0 -j ROUTE
> --oif ppp1
> 
> But the source addresses of the packets are wrong as "tcpdump -ni ppp1"
> shows:
> 
> 01:20:24.422756 IP 192.168.0.4.32825 > 160.45.10.13.25: S
> 2020082843:2020082843(0) win 5840 <mss 1460,sackOK,timestamp 266850[|tcp]>
> 
> 192.168.0.4 is the IP adress of the client which tried to connect to the
> mailserver 160.45.10.13.25.
> 
> Masquarding is done to 192.168.0.0/24:
> 
> # iptables -t nat -L POSTROUTING
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  192.168.0.0/24       anywhere
> 
> My default route is set to ppp0.
> 
> So, how can I replace/masquerade the 192.168.0.4 by the official IP
> address of ppp1?
> 
> Regards,
> Fabian
> 
> 


-- 
Glaucius Djalma Pereira Junior
glaucius@gmail.com

Re: How to masquerade when using ROUTE

[Fabian Wolter]

Hi,

Glaucius Djalma Pereira Junior wrote:
> 1) create an entry in /etc/iproute2/rt_tables
> 
> echo "200            fabian

I named it mail.out.

# echo "200	mail.out" >>/etc/iproute2/rt_tables

> 2) create the route default to route fabian
> ip route add default via x.x.x.x dev ethX table fabian

I think you meant ppp1 instead of ethX?

# ip route add default via 217.5.98.57 dev eth0 table mail.out
RTNETLINK answers: Network is unreachable
# ip route add default via 217.5.98.57 dev ppp1 table mail.out
#

217.5.98.57 is my default gateway on ppp1.

# route
[...]
217.5.98.57     *           255.255.255.255 UH    0      0        0 ppp1
[...]

> ip rule add from fwmark 3 lookup fabian prio 1

I had to remove the string "from". Then I could apply it without any
error messages.

I did the other steps as you said. But tcpdump on ppp1 shows no traffic
and in syslog the following message appears:

May  8 17:55:20 eis kernel: MASQUERADE: Route sent us somewhere else.

Regards,
Fabian

Re: How to masquerade when using ROUTE

[Glaucius Djalma Pereira Junior]

On 5/8/05, Fabian Wolter <netfilter-ml@fabian-wolter.de> wrote:
> Hi,
> 
> Glaucius Djalma Pereira Junior wrote:
> > 1) create an entry in /etc/iproute2/rt_tables
> >
> > echo "200            fabian
> 
> I named it mail.out.
> 
> # echo "200     mail.out" >>/etc/iproute2/rt_tables
> 
> > 2) create the route default to route fabian
> > ip route add default via x.x.x.x dev ethX table fabian
> 
> I think you meant ppp1 instead of ethX?
> 
> # ip route add default via 217.5.98.57 dev eth0 table mail.out
> RTNETLINK answers: Network is unreachable
> # ip route add default via 217.5.98.57 dev ppp1 table mail.out
> #
> 
> 217.5.98.57 is my default gateway on ppp1.
> 
> # route
> [...]
> 217.5.98.57     *           255.255.255.255 UH    0      0        0 ppp1
> [...]
> 
> > ip rule add from fwmark 3 lookup fabian prio 1
> 
> I had to remove the string "from". Then I could apply it without any
> error messages.
> 
> I did the other steps as you said. But tcpdump on ppp1 shows no traffic
> and in syslog the following message appears:

hummm, but no errors has happened when you did it ?

try to test it using the CHAIN OUTPUT, just packets from your host

if you need help, I can help you, take my MSN -> glauciusjunior@hotmail.com

best regards !!!


> 
> May  8 17:55:20 eis kernel: MASQUERADE: Route sent us somewhere else.
> 
> Regards,
> Fabian
> 
> 


-- 
Glaucius Djalma Pereira Junior
glaucius@gmail.com

Re: How to masquerade when using ROUTE

[Taylor, Grant]

> I want to route all outgoing port-25-traffic produced by the clients
> over ppp1. The rest schould take the default route over ppp0.
> 
> I used the following command:
> 
> iptables -A PREROUTING -p tcp --dport 25 -t mangle -i eth0 -j ROUTE
> --oif ppp1

This seems reasonable enough.

> But the source addresses of the packets are wrong as "tcpdump -ni ppp1"
> shows:
> 
> 01:20:24.422756 IP 192.168.0.4.32825 > 160.45.10.13.25: S
> 2020082843:2020082843(0) win 5840 <mss 1460,sackOK,timestamp 266850[|tcp]>
> 
> 192.168.0.4 is the IP adress of the client which tried to connect to the
> mailserver 160.45.10.13.25.
> 
> Masquarding is done to 192.168.0.0/24:
> 
> # iptables -t nat -L POSTROUTING
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  192.168.0.0/24       anywhere
> 
> My default route is set to ppp0.
> 
> So, how can I replace/masquerade the 192.168.0.4 by the official IP
> address of ppp1?

It looks like there might be a chance that traffic that goes out ppp0 and ppp1 are matching your one POSTROUTING rule.  Is there a reason that you are not specifying an interface the traffic is going out to match against?  I.e.

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE

I'm wondering if there is not some confusion in the kernel / routing code as to which source IP to use when going out ppp1.



Grant. . . .

Re: How to masquerade when using ROUTE

[Glaucius Djalma Pereira Junior]

irc channel is better than an IM program

see you there

On 5/9/05, Taylor, Grant <gtaylor@riverviewtech.net> wrote:
> > I want to route all outgoing port-25-traffic produced by the clients
> > over ppp1. The rest schould take the default route over ppp0.
> >
> > I used the following command:
> >
> > iptables -A PREROUTING -p tcp --dport 25 -t mangle -i eth0 -j ROUTE
> > --oif ppp1
> 
> This seems reasonable enough.
> 
> > But the source addresses of the packets are wrong as "tcpdump -ni ppp1"
> > shows:
> >
> > 01:20:24.422756 IP 192.168.0.4.32825 > 160.45.10.13.25: S
> > 2020082843:2020082843(0) win 5840 <mss 1460,sackOK,timestamp 266850[|tcp]>
> >
> > 192.168.0.4 is the IP adress of the client which tried to connect to the
> > mailserver 160.45.10.13.25.
> >
> > Masquarding is done to 192.168.0.0/24:
> >
> > # iptables -t nat -L POSTROUTING
> > Chain POSTROUTING (policy ACCEPT)
> > target     prot opt source               destination
> > MASQUERADE  all  --  192.168.0.0/24       anywhere
> >
> > My default route is set to ppp0.
> >
> > So, how can I replace/masquerade the 192.168.0.4 by the official IP
> > address of ppp1?
> 
> It looks like there might be a chance that traffic that goes out ppp0 and ppp1 are matching your one POSTROUTING rule.  Is there a reason that you are not specifying an interface the traffic is going out to match against?  I.e.
> 
> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -o ppp1 -j MASQUERADE
> 
> I'm wondering if there is not some confusion in the kernel / routing code as to which source IP to use when going out ppp1.
> 
> 
> Grant. . . .
> 
> 


-- 
Glaucius Djalma Pereira Junior
glaucius@gmail.com