conntrack ctstate - multiple ISP links

Linux Netfilter discussions
 help / color / mirror / Atom feed

* conntrack ctstate - multiple ISP links
@ 2007-10-04  8:29 Paulo Andre
  2007-10-04 10:33 ` Pascal Hambourg
  0 siblings, 1 reply; 4+ messages in thread
From: Paulo Andre @ 2007-10-04  8:29 UTC (permalink / raw)
  To: netfilter

How would I go about getting ctstate installed on my system, currently 
running iptables 1.3.8. Apparently I need this to get multiple isp links 
working correctly on a FW. Packets entering interface eth2/eth3 all 
still leaving eth1, default GW.
I have been really struggling with this.

Paulo

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: conntrack ctstate - multiple ISP links
  2007-10-04  8:29 conntrack ctstate - multiple ISP links Paulo Andre
@ 2007-10-04 10:33 ` Pascal Hambourg
       [not found]   ` <4704EB43.2000902@darkstar.nom.za>
  0 siblings, 1 reply; 4+ messages in thread
From: Pascal Hambourg @ 2007-10-04 10:33 UTC (permalink / raw)
  To: netfilter

Hello,

Paulo Andre a écrit :
> How would I go about getting ctstate installed on my system, currently 
> running iptables 1.3.8.

All you need is a kernel with the 'conntrack' match enabled 
(CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y|m on recent kernels or 
CONFIG_IP_NF_MATCH_CONNTRACK on older ones). Support for the 'conntrack' 
match has been included in the kernel since version 2.4.20 and in 
iptables since version 1.2.7a.

> Apparently I need this to get multiple isp links 
> working correctly on a FW. Packets entering interface eth2/eth3 all 
> still leaving eth1, default GW.

Can you elaborate ?

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <4704EB43.2000902@darkstar.nom.za>]

* Re: conntrack ctstate - multiple ISP links
       [not found]   ` <4704EB43.2000902@darkstar.nom.za>
@ 2007-10-04 13:58     ` Pascal Hambourg
  2007-10-04 14:53       ` Paulo Andre
  0 siblings, 1 reply; 4+ messages in thread
From: Pascal Hambourg @ 2007-10-04 13:58 UTC (permalink / raw)
  To: netfilter

[Please send your reply on the list so everyone can see it]

Paulo Andre a écrit :
>>
>>> Apparently I need this to get multiple isp links working correctly on 
>>> a FW. Packets entering interface eth2/eth3 all still leaving eth1, 
>>> default GW.
>>
>> Can you elaborate ?
> 
> The incoming packets are not leaving out of the correct interfaces, 
> someone else has suggested that I need to use iptables as below:
> 
> iptables -t mangle -N alreadyestablished
> iptables -t mangle -A alreadyestablished -j CONNMARK --restore-mark
> 
> iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j 
> alreadyestablished
> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth1 -j 
> CONNMARK --set-mark 11
> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth2 -j 
> CONNMARK --set-mark 12
> 
> and then iproute2 to route based on the 'mark'.
> Would this be the correct solution?

The principle is correct.

> I am trying to get ctstate working so that I can test this

The syntax is wrong. The correct syntax is "-m conntrack --ctstate NEW".
Besides, this just does the same as "-m state --state NEW".

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: conntrack ctstate - multiple ISP links
  2007-10-04 13:58     ` Pascal Hambourg
@ 2007-10-04 14:53       ` Paulo Andre
  0 siblings, 0 replies; 4+ messages in thread
From: Paulo Andre @ 2007-10-04 14:53 UTC (permalink / raw)
  To: Pascal Hambourg; +Cc: netfilter

Pascal Hambourg wrote:
> [Please send your reply on the list so everyone can see it]
>
>> The incoming packets are not leaving out of the correct interfaces, 
>> someone else has suggested that I need to use iptables as below:
>>
>> iptables -t mangle -N alreadyestablished
>> iptables -t mangle -A alreadyestablished -j CONNMARK --restore-mark
>>
>> iptables -t mangle -A PREROUTING -m connmark ! --mark 0 -j 
>> alreadyestablished
>> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth1 
>> -j CONNMARK --set-mark 11
>> iptables -t mangle -A PREROUTING -m ctstate --conntrack NEW -i eth2 
>> -j CONNMARK --set-mark 12
>>
>> and then iproute2 to route based on the 'mark'.
>> Would this be the correct solution?
>
> The principle is correct.
>
>> I am trying to get ctstate working so that I can test this
>
> The syntax is wrong. The correct syntax is "-m conntrack --ctstate NEW".
> Besides, this just does the same as "-m state --state NEW".
> -
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Would I have to do a CONNMARK --save-mark on the POSTROUTING for this to 
work?
I have also followed this: 
http://andthatsjazz.org:8/lartc/MultihomedLinuxNetworking.html
When I dont use the above rules the connection is made but the packets 
leave the wrong interface, with the above rules the connection is not 
made at all.

Paulo

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2007-10-04 14:53 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-10-04  8:29 conntrack ctstate - multiple ISP links Paulo Andre
2007-10-04 10:33 ` Pascal Hambourg
     [not found]   ` <4704EB43.2000902@darkstar.nom.za>
2007-10-04 13:58     ` Pascal Hambourg
2007-10-04 14:53       ` Paulo Andre

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox