conntrack ctstate - multiple ISP links

conntrack ctstate - multiple ISP links

[Paulo Andre]

How would I go about getting ctstate installed on my system, currently 
running iptables 1.3.8. Apparently I need this to get multiple isp links 
working correctly on a FW. Packets entering interface eth2/eth3 all 
still leaving eth1, default GW.
I have been really struggling with this.

Paulo

Re: conntrack ctstate - multiple ISP links

[Pascal Hambourg]

Hello,

Paulo Andre a écrit :
> How would I go about getting ctstate installed on my system, currently 
> running iptables 1.3.8.

All you need is a kernel with the 'conntrack' match enabled 
(CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y|m on recent kernels or 
CONFIG_IP_NF_MATCH_CONNTRACK on older ones). Support for the 'conntrack' 
match has been included in the kernel since version 2.4.20 and in 
iptables since version 1.2.7a.

> Apparently I need this to get multiple isp links 
> working correctly on a FW. Packets entering interface eth2/eth3 all 
> still leaving eth1, default GW.

Can you elaborate ?

Re: conntrack ctstate - multiple ISP links

[Pascal Hambourg]

[Please send your reply on the list so everyone can see it]

Paulo Andre a écrit :
>>
>>> Apparently I need this to get multiple isp links working correctly on 
>>> a FW. Packets entering interface eth2/eth3 all still leaving eth1, 
>>> default GW.
>>
>> Can you elaborate ?
> 
> The incoming packets are not leaving out of the correct interfaces, 
> someone else has suggested that I need to use iptables as below:
> 
> iptables -t mangle -N alreadyestablished
> iptables -t mangle -A alreadyestablished -j CONNMARK --restore-mark
> 
> iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j 
> alreadyestablished
> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth1 -j 
> CONNMARK --set-mark 11
> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth2 -j 
> CONNMARK --set-mark 12
> 
> and then iproute2 to route based on the 'mark'.
> Would this be the correct solution?

The principle is correct.

> I am trying to get ctstate working so that I can test this

The syntax is wrong. The correct syntax is "-m conntrack --ctstate NEW".
Besides, this just does the same as "-m state --state NEW".

Re: conntrack ctstate - multiple ISP links

[Paulo Andre]

Pascal Hambourg wrote:
> [Please send your reply on the list so everyone can see it]
>
>> The incoming packets are not leaving out of the correct interfaces, 
>> someone else has suggested that I need to use iptables as below:
>>
>> iptables -t mangle -N alreadyestablished
>> iptables -t mangle -A alreadyestablished -j CONNMARK --restore-mark
>>
>> iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j 
>> alreadyestablished
>> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth1 
>> -j CONNMARK --set-mark 11
>> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth2 
>> -j CONNMARK --set-mark 12
>>
>> and then iproute2 to route based on the 'mark'.
>> Would this be the correct solution?
>
> The principle is correct.
>
>> I am trying to get ctstate working so that I can test this
>
> The syntax is wrong. The correct syntax is "-m conntrack --ctstate NEW".
> Besides, this just does the same as "-m state --state NEW".
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Would I have to do a CONNMARK --save-mark on the POSTROUTING for this to 
work?
I have also followed this: 
http://andthatsjazz.org:8/lartc/MultihomedLinuxNetworking.html
When I dont use the above rules the connection is made but the packets 
leave the wrong interface, with the above rules the connection is not 
made at all.

Paulo