Routing the DNS Traffic via specific interface.

Routing the DNS Traffic via specific interface.

[Netravali Ganesh]

Hi ..

I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ?

Block the output DNS traffic on eth0 interface.

iptables -A FORWARD -p udp -o eth0 --dport 53 -j DROP

Forward output DNS traffic from eth1 interface

iptables -A FORWARD -p udp -o eth1 --dport 53 -j ACCEPT


Thanks
Ganesh

Re: Routing the DNS Traffic via specific interface.

[Yann Lejeune]

On 25 January 2012 08:41, Netravali Ganesh <gnetravali@sonusnet.com> wrote:
> I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ?
>

Hi,
the "iptables -A FORWARD" authorizes or denies traffic only. There is
no impact on the routing of your traffic.

You want to perform a "policy based routing". Your policy is "All
UDP/53 traffic must use eth1 as outgoing interface". To achieve this,
have a look to iproute and the LARTC guide
    http://lartc.org/howto/
    http://lartc.linuxsystems.it/index.php/Main_Page

Regards,
			Yann.

Re: Routing the DNS Traffic via specific interface.

[gapsf]

No. You should use "Policy routing" with MARK target in iptables.

Mark outgoing DNS packets with iptables in mangle PREOROUTING for example.
# iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 0x4

Create additional routing table with different routing rules.
Add new entry in /etc/iproute2/rt_tables
=========================================
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1     inr.ruhep
1      isp2 # <- new entry
=========================================

Then execute
# ip route flush table isp2
and add defalt route into newly created table
# route add default via <ip_of_your_eth2_gateway> dev eth2 table isp2

Add new policy in RPDB.
# ip rule add from all fwmark 0x4 table isp2

Check RPDB
# ip rule show
You should view somthing like this:
0:      from all lookup local
32763:  from all fwmark 0x4 lookup isp2
32766:  from all lookup main
32767:  from all lookup default

In result: all traffic routed with main routing table, except marked DNS traffic routed
via "isp2" routing table via its default route and iface.
View picture http://postimage.org/image/nn9owf5x7/ for example.

NG> Hi ..

NG> I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ?

NG> Block the output DNS traffic on eth0 interface.

NG> iptables -A FORWARD -p udp -o eth0 --dport 53 -j DROP

NG> Forward output DNS traffic from eth1 interface

NG> iptables -A FORWARD -p udp -o eth1 --dport 53 -j ACCEPT


NG> Thanks
NG> Ganesh


NG> --
NG> To unsubscribe from this list: send the line "unsubscribe netfilter" in
NG> the body of a message to majordomo@vger.kernel.org
NG> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Routing the DNS Traffic via specific interface.

[Rick Jones]

On 01/24/2012 11:41 PM, Netravali Ganesh wrote:
> Hi ..
>
> I have 2 interfaces eth0 and eth1 on the system connected to
> different subnets. I need to route all the outgoing DNS traffic of
> the system via eth1 interface. Pls let me know if below IPTABLES
> rules is proper way ?

Are the IPs of the DNS servers known and reasonably static?  And is 
there any concern if other traffic to those IPs goes out the one 
interface?  If the DNS server IPs are static, and it wouldn't hurt to 
have other traffic go out the same interface, why not just create some 
static host routes?

rick jones

Re: Routing the DNS Traffic via specific interface.

[SamLT]

On Wed, Jan 25, 2012 at 04:33:50PM +0700, gapsf@yandex.ru wrote:
> No. You should use "Policy routing" with MARK target in iptables.
> 
> Mark outgoing DNS packets with iptables in mangle PREOROUTING for example.
> # iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 0x4
> 
> Create additional routing table with different routing rules.
> Add new entry in /etc/iproute2/rt_tables
> =========================================
> #
> # reserved values
> #
> 255     local
> 254     main
> 253     default
> 0       unspec
> #
> # local
> #
> #1     inr.ruhep
> 1      isp2 # <- new entry
> =========================================
> 
> Then execute
> # ip route flush table isp2
> and add defalt route into newly created table
> # route add default via <ip_of_your_eth2_gateway> dev eth2 table isp2
> 
> Add new policy in RPDB.
> # ip rule add from all fwmark 0x4 table isp2


Consider adding a preference/priority to your rule(s) to avoid potential
future headaches

> 
> Check RPDB
> # ip rule show
> You should view somthing like this:
> 0:      from all lookup local
> 32763:  from all fwmark 0x4 lookup isp2
> 32766:  from all lookup main
> 32767:  from all lookup default
> 
> In result: all traffic routed with main routing table, except marked DNS traffic routed
> via "isp2" routing table via its default route and iface.
> View picture http://postimage.org/image/nn9owf5x7/ for example.
> 
> NG> Hi ..
> 
> NG> I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ?
> 
> NG> Block the output DNS traffic on eth0 interface.
> 
> NG> iptables -A FORWARD -p udp -o eth0 --dport 53 -j DROP
> 
> NG> Forward output DNS traffic from eth1 interface
> 
> NG> iptables -A FORWARD -p udp -o eth1 --dport 53 -j ACCEPT
> 
> 
> NG> Thanks
> NG> Ganesh
> 
> 
> NG> --
> NG> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> NG> the body of a message to majordomo@vger.kernel.org
> NG> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Routing the DNS Traffic via specific interface.

[Netravali Ganesh]

Hi..

Thanks for the help. This worked excellent for me. I have another question on this.

Suppose if I have 2 interfaces say eth2 and eth3. If I want to implement conditional routing, say ex, eth2 is down and all DNS traffic needs to redirect via eth3 upon detecting the link failure, how do I do that.



Thanks
Ganesh Netravali


-----Original Message-----
From: gapsf@yandex.ru [mailto:gapsf@yandex.ru] 
Sent: Wednesday, January 25, 2012 3:04 PM
To: netfilter@vger.kernel.org; Netravali Ganesh
Subject: Re: Routing the DNS Traffic via specific interface.

No. You should use "Policy routing" with MARK target in iptables.

Mark outgoing DNS packets with iptables in mangle PREOROUTING for example.
# iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 0x4

Create additional routing table with different routing rules.
Add new entry in /etc/iproute2/rt_tables =========================================
#
# reserved values
#
255     local
254     main
253     default
0       unspec
#
# local
#
#1     inr.ruhep
1      isp2 # <- new entry
=========================================

Then execute
# ip route flush table isp2
and add defalt route into newly created table # route add default via <ip_of_your_eth2_gateway> dev eth2 table isp2

Add new policy in RPDB.
# ip rule add from all fwmark 0x4 table isp2

Check RPDB
# ip rule show
You should view somthing like this:
0:      from all lookup local
32763:  from all fwmark 0x4 lookup isp2
32766:  from all lookup main
32767:  from all lookup default

In result: all traffic routed with main routing table, except marked DNS traffic routed via "isp2" routing table via its default route and iface.
View picture http://postimage.org/image/nn9owf5x7/ for example.

NG> Hi ..

NG> I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ?

NG> Block the output DNS traffic on eth0 interface.

NG> iptables -A FORWARD -p udp -o eth0 --dport 53 -j DROP

NG> Forward output DNS traffic from eth1 interface

NG> iptables -A FORWARD -p udp -o eth1 --dport 53 -j ACCEPT


NG> Thanks
NG> Ganesh


NG> --
NG> To unsubscribe from this list: send the line "unsubscribe netfilter" 
NG> in the body of a message to majordomo@vger.kernel.org More majordomo 
NG> info at  http://vger.kernel.org/majordomo-info.html

Re: Routing the DNS Traffic via specific interface.

[gapsf]

Well, I know two ways,
but I don't know what is right from the standpoint of an more experienced sysadmin.
Solution #1
Script that periodically do "health check" of a link (i.e. route) by ping
some reliable host (router) reachable via eth2.
See example below. Run it in background from another bash script like `chkroutes &`.
Or even try to connect to DNS-server with `nc` instead of pings:
`nc -c exit -w1 <ip_of_DNS_server> 53`
Because ISPs equipment hardware exploited in this scenario,
I do not know whether it is acceptable according to netiquette.
If you want to react only to the interface down on gateway you should
use somthing like "post-up", "post-down" in /etc/network/interfaces in Debian.
On post-up add rule in RPDB, on post-down you delete this entry.
For tarffic switching you have three options:
- modify additional routing tables isp2: add/delete default route or
- modify RPDB rules: add/delete 'from all fwmark 0x4 lookup isp2' entry or even
- modify iptables rules - add/delete MARK rule.

Solution #2
Use dynamic routing protocols and daemons like zebra or quagga.
For me it's look like overkill in this simple situation.
And I still can't undestand how exactly routing daemon on gateway finds that route is dad.
So applicability of dynamic routing for this purposes is still unclear for me.

=== chkroutes =======================================================================================
#!/bin/sh

SWITCHED=0
TARGET=<some_reliable_host>

test_route2_cycle()
{
    while true; do
        ping -I eth2 -c3 $TARGET
        PING=$?
        if [ "$PING" == "0" && "$SWITCHED" == "1"]; then
            # TARGET reachable
            ip rule add from all fwmark 0x4 table inet2
            ip route flush cache
            SWITCHED=0
        else
            # TARGET unreachable
            if [ "$SWITCHED" == "0" ]; then
                ip rule del from all fwmark 0x4 table inet2
                ip route flush cache
                SWITCHED=1
            fi
        fi
        sleep 10
    done
}

echo $$ > /var/run/chkroutes.pid
test_route2_cycle
==============================================================================================


NG> Hi..
NG> Thanks for the help. This worked excellent for me. I have another question on this.
NG> Suppose if I have 2 interfaces say eth2 and eth3. If I want to implement conditional routing, say ex, eth2 is down and all DNS traffic needs to redirect via eth3 upon detecting the link failure, how do I do that.



NG> Thanks
NG> Ganesh Netravali


NG> -----Original Message-----
NG> From: gapsf@yandex.ru [mailto:gapsf@yandex.ru] 
NG> Sent: Wednesday, January 25, 2012 3:04 PM
NG> To: netfilter@vger.kernel.org; Netravali Ganesh
NG> Subject: Re: Routing the DNS Traffic via specific interface.

NG> No. You should use "Policy routing" with MARK target in iptables.

NG> Mark outgoing DNS packets with iptables in mangle PREOROUTING for example.
NG> # iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 0x4

NG> Create additional routing table with different routing rules.
NG> Add new entry in /etc/iproute2/rt_tables =========================================
NG> #
NG> # reserved values
NG> #
NG> 255     local
NG> 254     main
NG> 253     default
NG> 0       unspec
NG> #
NG> # local
NG> #
NG> #1     inr.ruhep
NG> 1      isp2 # <- new entry
NG> =========================================

NG> Then execute
NG> # ip route flush table isp2
NG> and add defalt route into newly created table # route add default via <ip_of_your_eth2_gateway> dev eth2 table isp2

NG> Add new policy in RPDB.
NG> # ip rule add from all fwmark 0x4 table isp2

NG> Check RPDB
NG> # ip rule show
NG> You should view somthing like this:
NG> 0:      from all lookup local
NG> 32763:  from all fwmark 0x4 lookup isp2
NG> 32766:  from all lookup main
NG> 32767:  from all lookup default

NG> In result: all traffic routed with main routing table, except marked DNS traffic routed via "isp2" routing table via its default route and iface.
NG> View picture http://postimage.org/image/nn9owf5x7/ for example.

NG>> Hi ..

NG>> I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ?

NG>> Block the output DNS traffic on eth0 interface.

NG>> iptables -A FORWARD -p udp -o eth0 --dport 53 -j DROP

NG>> Forward output DNS traffic from eth1 interface

NG>> iptables -A FORWARD -p udp -o eth1 --dport 53 -j ACCEPT


NG>> Thanks
NG>> Ganesh


NG>> --
NG>> To unsubscribe from this list: send the line "unsubscribe netfilter" 
NG>> in the body of a message to majordomo@vger.kernel.org More majordomo 
NG>> info at  http://vger.kernel.org/majordomo-info.html

RE: Routing the DNS Traffic via specific interface.

[Olshvang, LevX]

Hi Ganesg, listers


I made small modification of  dnsmasq daemon to make it route queries view specific interface.

The solution leverages  SO_BINDTODEVICE socket option, and it works perfectly.

Hope it helps, 
I can provide sources if you are interested.
 

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of gapsf@yandex.ru
Sent: Friday, February 03, 2012 09:31
To: Netravali Ganesh
Cc: netfilter@vger.kernel.org
Subject: Re: Routing the DNS Traffic via specific interface.

Well, I know two ways,
but I don't know what is right from the standpoint of an more experienced sysadmin.
Solution #1
Script that periodically do "health check" of a link (i.e. route) by ping
some reliable host (router) reachable via eth2.
See example below. Run it in background from another bash script like `chkroutes &`.
Or even try to connect to DNS-server with `nc` instead of pings:
`nc -c exit -w1 <ip_of_DNS_server> 53`
Because ISPs equipment hardware exploited in this scenario,
I do not know whether it is acceptable according to netiquette.
If you want to react only to the interface down on gateway you should
use somthing like "post-up", "post-down" in /etc/network/interfaces in Debian.
On post-up add rule in RPDB, on post-down you delete this entry.
For tarffic switching you have three options:
- modify additional routing tables isp2: add/delete default route or
- modify RPDB rules: add/delete 'from all fwmark 0x4 lookup isp2' entry or even
- modify iptables rules - add/delete MARK rule.

Solution #2
Use dynamic routing protocols and daemons like zebra or quagga.
For me it's look like overkill in this simple situation.
And I still can't undestand how exactly routing daemon on gateway finds that route is dad.
So applicability of dynamic routing for this purposes is still unclear for me.

=== chkroutes =======================================================================================
#!/bin/sh

SWITCHED=0
TARGET=<some_reliable_host>

test_route2_cycle()
{
    while true; do
        ping -I eth2 -c3 $TARGET
        PING=$?
        if [ "$PING" == "0" && "$SWITCHED" == "1"]; then
            # TARGET reachable
            ip rule add from all fwmark 0x4 table inet2
            ip route flush cache
            SWITCHED=0
        else
            # TARGET unreachable
            if [ "$SWITCHED" == "0" ]; then
                ip rule del from all fwmark 0x4 table inet2
                ip route flush cache
                SWITCHED=1
            fi
        fi
        sleep 10
    done
}

echo $$ > /var/run/chkroutes.pid
test_route2_cycle
==============================================================================================


NG> Hi..
NG> Thanks for the help. This worked excellent for me. I have another question on this.
NG> Suppose if I have 2 interfaces say eth2 and eth3. If I want to implement conditional routing, say ex, eth2 is down and all DNS traffic needs to redirect via eth3 upon detecting the link failure, how do I do that.



NG> Thanks
NG> Ganesh Netravali


NG> -----Original Message-----
NG> From: gapsf@yandex.ru [mailto:gapsf@yandex.ru] 
NG> Sent: Wednesday, January 25, 2012 3:04 PM
NG> To: netfilter@vger.kernel.org; Netravali Ganesh
NG> Subject: Re: Routing the DNS Traffic via specific interface.

NG> No. You should use "Policy routing" with MARK target in iptables.

NG> Mark outgoing DNS packets with iptables in mangle PREOROUTING for example.
NG> # iptables -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 0x4

NG> Create additional routing table with different routing rules.
NG> Add new entry in /etc/iproute2/rt_tables =========================================
NG> #
NG> # reserved values
NG> #
NG> 255     local
NG> 254     main
NG> 253     default
NG> 0       unspec
NG> #
NG> # local
NG> #
NG> #1     inr.ruhep
NG> 1      isp2 # <- new entry
NG> =========================================

NG> Then execute
NG> # ip route flush table isp2
NG> and add defalt route into newly created table # route add default via <ip_of_your_eth2_gateway> dev eth2 table isp2

NG> Add new policy in RPDB.
NG> # ip rule add from all fwmark 0x4 table isp2

NG> Check RPDB
NG> # ip rule show
NG> You should view somthing like this:
NG> 0:      from all lookup local
NG> 32763:  from all fwmark 0x4 lookup isp2
NG> 32766:  from all lookup main
NG> 32767:  from all lookup default

NG> In result: all traffic routed with main routing table, except marked DNS traffic routed via "isp2" routing table via its default route and iface.
NG> View picture http://postimage.org/image/nn9owf5x7/ for example.

NG>> Hi ..

NG>> I have 2 interfaces eth0 and eth1 on the system connected to different subnets. I need to route all the outgoing DNS traffic of the system via eth1 interface. Pls let me know if below IPTABLES rules is proper way ?

NG>> Block the output DNS traffic on eth0 interface.

NG>> iptables -A FORWARD -p udp -o eth0 --dport 53 -j DROP

NG>> Forward output DNS traffic from eth1 interface

NG>> iptables -A FORWARD -p udp -o eth1 --dport 53 -j ACCEPT


NG>> Thanks
NG>> Ganesh


NG>> --
NG>> To unsubscribe from this list: send the line "unsubscribe netfilter" 
NG>> in the body of a message to majordomo@vger.kernel.org More majordomo 
NG>> info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
---------------------------------------------------------------------
Intel Israel (74) Limited

This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.