Re: Changing default route causes packet drop

netfilter.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Gáspár Lajos" <swifty@freemail.hu>
To: John Meissen <john@meissen.org>
Cc: netfilter@vger.kernel.org
Subject: Re: Changing default route causes packet drop
Date: Mon, 05 Jul 2010 12:06:11 +0200	[thread overview]
Message-ID: <4C31AE93.70309@freemail.hu> (raw)
In-Reply-To: <20100705090326.BF7B134502@john>

Hi John,

1. Set up multiple routing tables.

a.) I have the following in my /etc/iproute2/rt_tables: [cat 
/etc/iproute/rt_tables]

#
# reserved values
#
255    local
254    main
253    default
0    unspec
#
# local
#
#1    inr.ruhep
201    PPP2
200    PPP1


b.) I have a route setup script: [cat /etc/network/routes]

#!/bin/bash

WAN1_IF='ppp1'
WAN1_TB='PPP1'
WAN1_MARK='1'
WAN1_IP=`ip addr show dev $WAN1_IF | grep 'inet ' | awk '{print $2}' | 
awk 'BEGIN{FS="/"}{print $1}'`
WAN1_GW=`ip addr show dev $WAN1_IF | grep 'inet ' | awk '{print $4}' | 
awk 'BEGIN{FS="/"}{print $1}'`

WAN2_IF='ppp2'
WAN2_TB='PPP2'
WAN2_MARK='2'
WAN2_IP=`ip addr show dev $WAN2_IF | grep 'inet ' | awk '{print $2}' | 
awk 'BEGIN{FS="/"}{print $1}'`
WAN2_GW=`ip addr show dev $WAN2_IF | grep 'inet ' | awk '{print $4}' | 
awk 'BEGIN{FS="/"}{print $1}'`

ip route flush table $WAN1_TB
ip route flush table $WAN2_TB

test ! "$WAN1_IP" == "" && ip route add table $WAN1_TB dev $WAN1_IF 
default via $WAN1_GW src $WAN1_IP
test ! "$WAN2_IP" == "" && ip route add table $WAN2_TB dev $WAN2_IF 
default via $WAN2_GW src $WAN2_IP

for prio in `ip rule show | grep $WAN1_TB | awk 'BEGIN{FS=":"}{print $1}'`
  do
  ip rule del prio $prio
  done
for prio in `ip rule show | grep $WAN2_TB | awk 'BEGIN{FS=":"}{print $1}'`
  do
  ip rule del prio $prio
  done

test ! "$WAN2_IP" == "" && ip rule add fwmark $WAN1_MARK table $WAN1_TB
test ! "$WAN2_IP" == "" && ip rule add fwmark $WAN2_MARK table $WAN2_TB

test ! "$WAN1_IP" == "" && ip rule add from $WAN1_IP table $WAN1_TB
test ! "$WAN2_IP" == "" && ip rule add from $WAN2_IP table $WAN2_TB

test -e /proc/sys/net/ipv4/conf/$WAN1_IF/rp_filter && echo '0' 
 >/proc/sys/net/ipv4/conf/$WAN1_IF/rp_filter
test -e /proc/sys/net/ipv4/conf/$WAN2_IF/rp_filter && echo '0' 
 >/proc/sys/net/ipv4/conf/$WAN2_IF/rp_filter

ip route del default
ip route add default dev $WAN1_IF scope link

ip route flush cache

exit 0

c.) Call this script whenever a WAN interface is coming up.

In my /etc/interfaces:

auto adsl1
iface adsl1 inet ppp
    provider PPP1
    up /bin/sleep 10
    up /etc/network/routes

auto adsl2
iface adsl2 inet ppp
    provider PPP2
    up /bin/sleep 10
    up /etc/network/routes

2. Do the Netfilter/Iptables part:

Mark the outgoing packets in the mangle table's POSTROUTING chain with 
WAN1_MARK or WAN2_MARK:
iptables -t mangle -A POSTROUTING -j MARK --set-mark 1 .... (your 
matching criteria for WAN1....)
iptables -t mangle -A POSTROUTING -j MARK --set-mark 2 .... (your 
matching criteria for WAN2....)


Hope I could help:

  Swifty

2010-07-05 11:03 keltezéssel, John Meissen írta:
> I'm not sure if this is the right place to ask, or if it's even the right
> question. Hopefully someone can point me in the right direction.
>
> I had a traditional setup with two ethernet interfaces on my Linux box
> (WAN=eth0/LAN=eth1), and NATing the traffic that was forwarded between them.
>
> I added another interface (eth2), and simply want to change the default
> routing to go through it. I'm leaving various services listening on all
> interfaces.
>
> If I change the default route to use eth2, I can route from the internal
> network to the outside just fine, and I can connect from the internal net
> to services on the system fine. But incoming connections on the original
> WAN (eth0) don't complete. They hang at SYN_RECV, as if I had a DROP rule.
>
> I.e., what used to be
>
>    internal<->  (eth1) gateway forward (eth0)<->  WAN
>    internal<->  (eth1) gateway local service
>                  gateway local service (eth0)<->  WAN
> is now
>
>    internal<->  (eth1) gateway forward (eth2)<->  WAN
>    internal<->  (eth1) gateway local service
>
> but
>                  gateway local service (eth0)<->  WAN
>
> now drops connection attempts.
>
> I don't see what difference there should be between eth0 and eth1, except
> that eth0 isn't forwarded. That shouldn't affect connections to processes
> listening on that interface.
>
> I've tried to keep the iptables config simple for this. The only change I'm
> making is changing the default route with the 'route' command.
>
> # iptables -L -v -n
> Chain INPUT (policy ACCEPT 63555 packets, 73M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>     11  3626 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          udp spt:68 dpt:67
>      0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          tcp spt:68 dpt:67
>      0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          udp spt:67 dpt:68
>      0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          tcp spt:67 dpt:68
>   1937  127K ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          udp dpt:53
>      0     0 ACCEPT     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0
>          tcp dpt:53
>
> Chain FORWARD (policy ACCEPT 39362 packets, 42M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
> 31533 2844K ACCEPT     all  --  *      *       192.168.10.0/24      0.0.0.0/0
>
>
> Chain OUTPUT (policy ACCEPT 42150 packets, 5745K bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>
> and
>
> # iptables -t nat -L -v -n
> Chain PREROUTING (policy ACCEPT 859K packets, 57M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>
> Chain POSTROUTING (policy ACCEPT 584K packets, 46M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>   755K   72M MASQUERADE  all  --  *      *       192.168.10.0/24      0.0.0.0/0
>
>
> Chain OUTPUT (policy ACCEPT 1015K packets, 100M bytes)
>   pkts bytes target     prot opt in     out     source               destination
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
>

next prev parent reply	other threads:[~2010-07-05 10:06 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-07-05  9:03 Changing default route causes packet drop John Meissen
2010-07-05 10:06 ` Gáspár Lajos [this message]
2010-07-07 14:23 ` Pascal Hambourg
2010-07-07 16:35   ` John Meissen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C31AE93.70309@freemail.hu \
    --to=swifty@freemail.hu \
    --cc=john@meissen.org \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).